HTTP Message Library Vulnerability in GuzzleHttp/Psr7 by Guzzle
CVE-2026-55766

4.8MEDIUM

Key Information:

Vendor

Guzzle

Status
Vendor
CVE Published:
23 June 2026

What is CVE-2026-55766?

GuzzleHttp/Psr7, a widely-used PSR-7 HTTP message library implementation in PHP, has a vulnerability that allows the inclusion of CR/LF characters in the start-line fields of HTTP messages if not properly sanitized. This applies to elements such as the request method, protocol version, and response reason phrase. An attacker could exploit this flaw if they manage to send controlled data into these fields, leading to the serialization of crafted messages that include malicious header lines when processed. This issue could arise during serialization processes or when messages are malformed and parsed into PSR-7 objects. This vulnerability was addressed in version 2.12.1, highlighting the importance of keeping dependencies up to date to avoid such risks.

Affected Version(s)

psr7 < 2.12.1

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.