CVE-2022-31684: Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.45394%
CWE
Published
10/20/2022
Updated
2/3/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
io.projectreactor.netty:reactor-netty-http | maven | >= 1.0.11, < 1.0.24 | 1.0.24 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability occurs when invalid HTTP requests trigger WARN-level logging that includes sensitive headers. The key modification in the patch adds log level checks before logging in AbstractHttpServerMetricsHandler.write(), which handles HTTP response writing. This was the primary location where metrics-related exceptions during request processing could leak headers to logs. Other modified files either: 1) Add safety checks for non-HTTP components (like connection pools), 2) Affect debug-level logging, or 3) Are unrelated to the HTTP header logging scenario described in the CVE.