GHSA-vm85-hxw5-5432

Suggest an improvement
Source
https://github.com/advisories/GHSA-vm85-hxw5-5432
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vm85-hxw5-5432/GHSA-vm85-hxw5-5432.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vm85-hxw5-5432
Aliases
  • CVE-2026-55766
Related
Published
2026-06-19T14:35:57Z
Modified
2026-06-22T18:29:21.124935444Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization
Details

Impact

guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x, for example with Message::toString() or an equivalent serializer, the serialized message could contain attacker-controlled header lines. The issue can also be reached through Message::parseRequest() or Message::parseResponse() when malformed raw messages are parsed into first-party PSR-7 objects and then serialized again.

Creating or modifying a Request, Response, or other PSR-7 object alone is not sufficient. The issue requires the malformed message to be serialized and written to the network, forwarded, replayed, or otherwise processed by software that does not independently reject the malformed start line. This is not the normal request-sending path used by guzzlehttp/guzzle; applications using guzzlehttp/psr7 only through Guzzle's standard HTTP client APIs are not expected to be affected.

Applications are most likely to be affected when they manually serialize PSR-7 messages, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, testing, or similar code. Depending on how downstream HTTP/1.1 components parse the serialized message, this may lead to header injection, response splitting, request smuggling, or cache poisoning.

Patches

The issue is patched in 2.12.1 and later. Starting in that release, guzzlehttp/psr7 rejects CR/LF characters in HTTP method, protocol version, and response reason phrase values before storing them in first-party message objects.

Workarounds

If you cannot upgrade immediately, reject CR/LF in untrusted method, protocol version, and reason phrase values before constructing or modifying PSR-7 messages.

Applications that parse, forward, replay, or serialize raw HTTP messages cannot work around the parser entry points by validating only after parsing. They should validate the raw start line before calling Message::parseRequest() or Message::parseResponse(), avoid reparsing untrusted raw messages, or upgrade. If an application runs with attacker-controlled synthetic $_SERVER values, validate REQUEST_METHOD and SERVER_PROTOCOL before calling ServerRequest::fromGlobals().

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-113",
        "CWE-93"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T14:35:57Z"
}
References

Affected packages

Packagist / guzzlehttp/psr7

Package

Name
guzzlehttp/psr7
Purl
pkg:composer/guzzlehttp%2Fpsr7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.1

Affected versions

1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.7.0
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.9.0
1.9.1
2.*
2.0.0-beta1
2.0.0-rc1
2.0.0
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
2.2.2
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.11.0
2.11.1
2.12.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vm85-hxw5-5432/GHSA-vm85-hxw5-5432.json"