CVE-2024-53990 – Cookie handling flaw in AsyncHttpClient
Severity: None2025-12-19
Abstract
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.
The Oxygen products incorporate AsyncHttpClient (AHC) as a third‑party library. This advisory was opened to address the potential impact of this third‑party library’s vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v7.1 and older | None | Oxygen Content Fusion 8.0 build 2025031016 |
| Oxygen XML Editor v27.0 and older | None | Oxygen XML Editor 27.1 build 2025032106 |
| Oxygen XML Author v27.0 and older | None | Oxygen XML Editor 27.1 build 2025032106 |
| Oxygen XML Developer v27.0 and older | None | Oxygen XML Editor 27.1 build 2025032106 |
| Oxygen Publishing Engine v27.0 and older | None | Oxygen Publishing Engine 27.1 build 2025032023 |
Detail
CVE-2024-53990
Severity: Critical
CVSS Score: 9.2
CVE-2024-53990 affects the AsyncHttpClient (AHC) library. When issuing HTTP requests, AHC’s automatically managed CookieStore can silently replace explicitly set cookies with cookies of the same name from its cookie jar. In multi-user services, this can cause a user’s cookie to be sent on another user’s request, leading to session mix-up or unintended authorization context.
Based on our review, the vulnerable code path is not exposed in our typical usage patterns. We updated dependencies in current release lines to versions that address this vulnerability.
