Improper Input Validation in guzzlehttp/psr7

Moderate

Nyholm published GHSA-q7rv-6hp3-vh96

Mar 20, 2022

Package

guzzlehttp/psr7 (Composer)

Affected versions

<=1.8.3

=>2.0.0, <=2.1.0

Patched versions

1.8.4

2.1.1

Description

Impact

Improper header parsing. An attacker could sneak in a carriage return character (\r) and pass untrusted values in both the header names and values.

Patches

The issue is patched in 1.8.4 and 2.1.1.

Workarounds

There are no known workarounds.

References

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Severity

Moderate

5.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N