Improper header name validation in guzzlehttp/psr7
CVE-2023-29197

5.3MEDIUM

Key Information:

Vendor

Guzzle

Status
Psr7
Vendor
CVE Published:
17 April 2023

What is CVE-2023-29197?

The GuzzleHTTP PSR-7 library, a popular PHP HTTP message library, exhibits an improper header parsing vulnerability that allows an attacker to insert newline characters into header names and values. The vulnerability arises from the library’s handling of HTTP headers, where even though the HTTP specification requires headers to terminate with

, many servers erroneously accept

as a valid termination. This flaw is a follow-up to a previous security issue that went unresolved, emphasizing the importance of upgrading to the patched versions, 1.9.1 and 2.4.5, to mitigate potential exploitation.

Affected Version(s)

psr7 < 1.9.1 < 1.9.1

psr7 >= 2.0.0, < 2.4.5 < 2.0.0, 2.4.5

References

https://github.com/guzzle/psr7/security/advisories/GHSA-w...
x_refsource_CONFIRM
https://github.com/guzzle/psr7/security/advisories/GHSA-q...
x_refsource_MISC
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.