[SECURITY] Update guzzlehttp/psr7 to v2.12.1 - autoclosed#268
Closed
renovate[bot] wants to merge 1 commit into
Closed
[SECURITY] Update guzzlehttp/psr7 to v2.12.1 - autoclosed#268renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Collaborator
Coverage Report for CI Build 27843969549Coverage remained the same at 97.619%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
| datasource | package | from | to | | ---------- | --------------- | ------ | ------ | | packagist | guzzlehttp/psr7 | 2.11.0 | 2.12.1 |
renovate
Bot
force-pushed
the
renovate/packagist-guzzlehttp-psr7-vulnerability
branch
from
58b0ead to
bce9c20
Compare
renovate
Bot
changed the title
renovate
Bot
deleted the
renovate/packagist-guzzlehttp-psr7-vulnerability
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.11.0→2.12.1guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization
CVE-2026-55766 / GHSA-vm85-hxw5-5432
More information
Details
Impact
guzzlehttp/psr7did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x, for example withMessage::toString()or an equivalent serializer, the serialized message could contain attacker-controlled header lines. The issue can also be reached throughMessage::parseRequest()orMessage::parseResponse()when malformed raw messages are parsed into first-party PSR-7 objects and then serialized again.Creating or modifying a
Request,Response, or other PSR-7 object alone is not sufficient. The issue requires the malformed message to be serialized and written to the network, forwarded, replayed, or otherwise processed by software that does not independently reject the malformed start line. This is not the normal request-sending path used byguzzlehttp/guzzle; applications usingguzzlehttp/psr7only through Guzzle's standard HTTP client APIs are not expected to be affected.Applications are most likely to be affected when they manually serialize PSR-7 messages, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, testing, or similar code. Depending on how downstream HTTP/1.1 components parse the serialized message, this may lead to header injection, response splitting, request smuggling, or cache poisoning.
Patches
The issue is patched in
2.12.1and later. Starting in that release,guzzlehttp/psr7rejects CR/LF characters in HTTP method, protocol version, and response reason phrase values before storing them in first-party message objects.Workarounds
If you cannot upgrade immediately, reject CR/LF in untrusted method, protocol version, and reason phrase values before constructing or modifying PSR-7 messages.
Applications that parse, forward, replay, or serialize raw HTTP messages cannot work around the parser entry points by validating only after parsing. They should validate the raw start line before calling
Message::parseRequest()orMessage::parseResponse(), avoid reparsing untrusted raw messages, or upgrade. If an application runs with attacker-controlled synthetic$_SERVERvalues, validateREQUEST_METHODandSERVER_PROTOCOLbefore callingServerRequest::fromGlobals().Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
guzzle/psr7 (guzzlehttp/psr7)
v2.12.1Compare Source
Security
v2.12.0Compare Source
Deprecated
Query::build()that guzzlehttp/psr7 3.0 rejectsUtils::streamFor(); cast them to a string for 3.0Uri::withQueryValues()values; cast them to a string for 3.0v2.11.1Compare Source
Fixed
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.