Improper Input Validation Affecting php-guzzlehttp-psr7 package, versions <1.8.5-1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.3% (70th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIANUNSTABLE-PHPGUZZLEHTTPPSR7-2432307
  • published24 Mar 2022
  • disclosed21 Mar 2022

Introduced: 21 Mar 2022

CVE-2022-24775  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Debian:unstable php-guzzlehttp-psr7 to version 1.8.5-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream php-guzzlehttp-psr7 package and not the php-guzzlehttp-psr7 package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

CVSS Scores

version 3.1