GHSA-34xg-wgjx-8xph
Suggest an improvement- Source
- https://github.com/advisories/GHSA-34xg-wgjx-8xph
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-34xg-wgjx-8xph/GHSA-34xg-wgjx-8xph.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-34xg-wgjx-8xph
- Aliases
-
- CVE-2026-48998
- Downstream
- Related
- Published
- 2026-06-11T13:04:53Z
- Modified
- 2026-06-18T18:29:24.348822818Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation
- Details
-
Impact
guzzlehttp/psr7improperly interpreted malformedHostheader values when constructing request URIs from inbound request data. This issue concerns inbound request parsing and server request construction. It does not require serializing a PSR-7 request, and it is not part of the normal outbound request-sending path used byguzzlehttp/guzzle.A vulnerable flow is:
- An attacker controls a raw HTTP request or server variable containing a
Hostvalue. - The
Hostvalue contains URI authority delimiters, such astrusted.example@evil.example. guzzlehttp/psr7uses that value to construct a URI.- The URI parser treats the portion before
@as userinfo and the portion after@as the URI host. - The resulting PSR-7 request URI host differs from the original
Hostheader value.
For example,
Host: trusted.example@evil.examplecan result in a PSR-7 URI whose host isevil.example, while the original Host header value remainstrusted.example@evil.example.Applications are affected if they parse attacker-controlled raw HTTP requests with
GuzzleHttp\Psr7\Message::parseRequest()or the legacy 1.xGuzzleHttp\Psr7\parse_request()function, or if they build server requests from attacker-controlled server variables withGuzzleHttp\Psr7\ServerRequest::fromGlobals()orGuzzleHttp\Psr7\ServerRequest::getUriFromGlobals(), and then rely on the resulting URI host for routing, allow-list checks, credential selection, or forwarding decisions. Applications usingguzzlehttp/psr7only through Guzzle's standard HTTP client APIs are not expected to be affected. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host.Patches
The issue is patched in
2.10.2and later.1.xis end-of-life and will not receive a patch.Workarounds
If you cannot upgrade immediately, validate Host values before passing untrusted request data to
Message::parseRequest(), legacy 1.xparse_request(),ServerRequest::fromGlobals(), orServerRequest::getUriFromGlobals().Accept only
uri-host [ ":" port ]. Reject values containing whitespace, control characters, userinfo (@), path (/or\), query (?), fragment (#), malformed IP literals or bracket syntax, or invalid port syntax.Do not validate Host by prefixing it with
http://and passing it toparse_url(), because that can reinterpret malformed values as URI userinfo and host.References
- https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2
- https://www.rfc-editor.org/rfc/rfc9112.html#section-3.3
- https://www.rfc-editor.org/rfc/rfc9110.html#section-4.2.4
- https://www.rfc-editor.org/rfc/rfc9110.html#section-7.2
- An attacker controls a raw HTTP request or server variable containing a
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-11T13:04:53Z", "nvd_published_at": "2026-06-11T13:16:33Z", "severity": "MODERATE", "cwe_ids": [ "CWE-20", "CWE-918" ] }- References
Affected packages
Packagist / guzzlehttp/psr7
Package
- Name
- guzzlehttp/psr7
- Purl
- pkg:composer/guzzlehttp%2Fpsr7
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.10.2