[BUG] CVE-2025-22227: Authentication Leak On Redirect With Reactor Netty HTTP Client

[ruiarodrigues]

Describe the bug
There's a CVE-2025-22227 for azure sdk for java in the dependency reactor-http-netty. Reactor-netty-http 1.0.48 is used by the sdk. It seems that there's a version 1.0.49 available but only in spring with a commercial license.
It would be good to have a new version without going to the latest version 1.2.x of the reactor-netty-http since it needs a more recent netty version and it can break applications that are stuck with an earlier netty version (it's my case).

Another question would be if this CVE affects in any way the azure sdk. Maybe the sdk client doesn't follow redirects

[alzimmermsft]

Thanks for filing this issue @ruiarodrigues.

As mentioned in the CVE notes redirect following must be explicitly configured, which we don't do in azure-core-http-netty.

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

That said, we will be looking into upgrading our Reactor Netty dependency version anyways as 1.0.x has been end-of-life for a while now and any future CVEs may affect azure-core-http-netty with no good escape hatch.

[ruiarodrigues]

Thanks for the quick reply

[in-fke]

Would it hurt to update to https://mvnrepository.com/artifact/io.projectreactor.netty/reactor-netty-http/1.2.8
which still depends on Netty 4.1 ?