Vulnerability in Guzzle PSR-7 Library Allows Header Injection via User-Controlled URLs
CVE-2026-49214
What is CVE-2026-49214?
The Guzzle PSR-7 HTTP message library prior to version 2.10.2 is susceptible to a header injection vulnerability. When an application processes user-controlled URLs to construct PSR-7 Uri or Request, certain ASCII control characters, whitespace, or DEL in the host component can be exploited. This flaw can result in an attacker injecting malicious headers into serialized requests. Affected applications include those utilizing user-controlled URLs for outbound requests, URL forwarding, and other request dispatch mechanisms. The issue can lead to severe consequences such as request smuggling or cache poisoning, particularly in environments with HTTP/1.1 connection reuse or through proxies and gateways. The recommended mitigation involves validating and rejecting all untrusted URI strings prior to constructing PSR-7 Uri or Request instances and ensuring that outbound HTTP clients properly handle invalid URI and header data.
Affected Version(s)
psr7 < 2.10.2
