CVE-2022-24775

Improper Input Validation in guzzlehttp/psr7

CVSS 7.5 HIGHEPSS 2.4%CWE-20

In short

The guzzlehttp/psr7 library doesn't properly validate HTTP headers, allowing attackers to insert newline characters and inject malicious header values. This can lead to HTTP header injection attacks that compromise request integrity.

Technical detail

The vulnerability exists in header parsing logic that fails to sanitize newline characters (CWE-20: Improper Input Validation). An attacker can inject arbitrary headers by embedding CRLF sequences into header values, potentially enabling header injection attacks. Patched in versions 1.8.4 and 2.1.1.

Summary generated and translated by AI from the official description.

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

guzzle · psr7

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1 https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96 https://www.drupal.org/sa-core-2022-006