On Mon, Jul 6, 2026 at 1:32 PM Marcel Stör <[email protected]> wrote: > > Hi, > > I tracked the fix for https://www.cve.org/CVERecord?id=CVE-2026-54399 > back to > https://github.com/apache/httpcomponents-core/commit/fdc53a32fe0fccf098cc67e71cd125e447c759ed. > According to MITRE, only HTTP Core v5 is affected. However, the NVD > updated its entry today to declare > "cpe:2.3:a:apache:httpcomponents_core:*:*:*:*:*:*:*:*" be vulnerable "Up > to (including) 5.4.2". While Http1Config.java isn't part of the v4.4 > code base, I found that > org.apache.http.config.MessageConstraints.Builder has a similar kind of > -1-means-infinite logic. > Can you confirm that NVD's CPE is correct in including pre v5 versions? > > Cheers, > > -- > Marcel Stör, https://frightanic.com > My PGP key: https://frightanic.com/pgp/ >
Hello Marcel, The CVE doesn't talk about 4.x because it lives in a different Java package and different Maven coordinates. 5.x is not a drop in replacement for 4.x. If you tried to replace 4.x with 5.x, your app wouldn't run. So it doesn't make sense for a report to talk about 4.x and 5.x, except in the most general terms. HTH, Gary --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
