-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jboss.resteasy:resteasy-client | maven | >= 4.0.0, <= 4.5.12 | 4.6.0 |
| org.jboss.resteasy:resteasy-client | maven | >= 3.0.0, <= 3.11.5 | 3.12.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper input validation when handling HTTP headers. The commit diff shows a critical change in ClientHeadersRequestFilter.java where the method to retrieve the declaring class was modified. Originally, method.getDeclaringClass() was used, which could return a superclass instead of the actual implementation class in inheritance scenarios. This misresolution would cause the wrong ClientHeadersFactory to be used, bypassing proper header validation/sanitization. The patch introduced ClientRequestContextUtils.getDeclaringClass() to correctly identify the class from the request context, addressing the injection vector. The test case changes in ClientHeadersFactoryCDITest.java further confirm the issue occurred when client interfaces used inheritance, reinforcing that the filter's class resolution logic was the root cause.
Ongoing coverage of React2Shell