Improper Input Validation Affecting guzzlehttp/psr7 package, versions <1.9.1 >=2.0.0, <2.4.5
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-GUZZLEHTTPPSR7-5458978
- published 25 Apr 2023
- disclosed 24 Apr 2023
- credit GrahamCampbell, Nyholm, TimWolla
Introduced: 24 Apr 2023
CVE-2023-29530 Open this link in a new tabHow to fix?
Upgrade guzzlehttp/psr7 to version 1.9.1, 2.4.5 or higher.
Overview
Affected versions of this package are vulnerable to Improper Input Validation such that an attacker who is able to control the header names passed to Laminas Diactoros would be able to craft invalid messages intentionally, possibly causing application errors or invalid HTTP requests being sent out with a PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests.
Workarounds
Users who are unable to upgrade to the fixed versions, should validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader().