On Mon, Jul 6, 2026 at 1:32 PM Marcel Stör <[email protected]> wrote:
>
> Hi,
>
> I tracked the fix for https://www.cve.org/CVERecord?id=CVE-2026-54399
> back to
> https://github.com/apache/httpcomponents-core/commit/fdc53a32fe0fccf098cc67e71cd125e447c759ed.
> According to MITRE, only HTTP Core v5 is affected. However, the NVD
> updated its entry today to declare
> "cpe:2.3:a:apache:httpcomponents_core:*:*:*:*:*:*:*:*" be vulnerable "Up
> to (including) 5.4.2". While Http1Config.java isn't part of the v4.4
> code base, I found that
> org.apache.http.config.MessageConstraints.Builder has a similar kind of
> -1-means-infinite logic.
> Can you confirm that NVD's CPE is correct in including pre v5 versions?
>
> Cheers,
>
> --
> Marcel Stör, https://frightanic.com
> My PGP key: https://frightanic.com/pgp/
>

Hello Marcel,

The CVE doesn't talk about 4.x because it lives in a different Java
package and different Maven coordinates. 5.x is not a drop in
replacement for 4.x. If you tried to replace 4.x with 5.x, your app
wouldn't run. So it doesn't make sense for a report to talk about 4.x
and 5.x, except in the most general terms.

HTH,
Gary

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to