Improper Host Header Validation in Guzzle HTTP Library
CVE-2026-48998
What is CVE-2026-48998?
The Guzzle HTTP library, specifically versions prior to 2.10.2, is susceptible to improper validation of the Host header. This vulnerability allows attackers to manipulate raw HTTP request messages by providing malformed Host headers that contain URI authority delimiters, potentially affecting server request URIs constructed from server variables. When such malformed Host values are parsed, they can lead to unintended interpretations that diverge from the original Host header. As a result, applications that rely on these parsed URIs for routing or security checks may inadvertently forward requests to incorrect hosts. This issue is primarily a concern when applications handle untrusted HTTP request data using the affected parsing functions. Users are advised to implement validations on the Host header before processing it, as version 1.x is no longer supported and will not receive patches.
Affected Version(s)
psr7 < 2.10.2
