Uri Validation Flaw in Guzzle HTTP Library by Guzzle
CVE-2026-59882
4.2MEDIUM
What is CVE-2026-59882?
The guzzlehttp/psr7 library, an implementation of the PSR-7 HTTP message standard in PHP, contains a vulnerability in the Uri::assertValidHost() function. This function fails to properly validate URI host components, allowing for potential discrepancies between Uri::getHost() and the URI authority. Issues arise from acceptance of authority delimiters, embedded ports, and incorrectly formatted IPv6 brackets. This flaw can lead to erroneous security or routing decisions. All users are strongly encouraged to update to version 2.12.3 or later to remediate this vulnerability.
Affected Version(s)
psr7 < 2.12.3
