CVE-2022-29248
Cross-domain cookie leakage in Guzzle
In short
Guzzle's cookie middleware doesn't properly validate that cookies come from the correct domain, allowing a malicious server to set cookies for unrelated domains. This only affects users who explicitly enable cookie handling and make requests to multiple domains.
Technical detail
The cookie middleware in Guzzle fails to validate the Set-Cookie domain attribute against the server's actual domain, enabling cookie injection across unrelated domains via a compromised or attacker-controlled server. Exploitation requires the victim to use the same Guzzle client instance for multiple domains with cookies enabled; impact includes session hijacking and credential theft across multiple services.
Summary generated and translated by AI from the official description.
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Affected products
guzzle · guzzleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →