Issue is very similar to CVE-2016-8624 that affected cURL last year.

AHC url parser, org.asynchttpclient.uri.Uri can be tricked with a anchor containing a question mark into connecting to a different host. This issue also affects java.net.URL (as of 8u112) but not java.net.URI:

org.asynchttpclient.uri.Uri.create("http://1.2.3.4:81/#@5.6.7.8:82/aaa/b?q").getHost()
// 5.6.7.8

new java.net.URL("http://1.2.3.4:81/#@5.6.7.8:82/aaa/b?q").getHost()
// 5.6.7.8

java.net.URI.create("http://1.2.3.4:81/#@5.6.7.8:82/aaa/b?q").getHost()
// 1.2.3.4

Credit goes to Nicolas Grégoire from Agarri.

I'm not aware of any exploit at the moment.

Possible usages:

• circumventing white/back lists
• web crawler that would use AHC for fetching pages but would use java.net.URI to compute the index key.