guzzlehttp/psr7 allows a malformed Host header to be interpreted as URI userinfo and host. When the library parses an incoming request it may construct a URI whose host component differs from the original Host header. An attacker can therefore trick the application into routing requests, allowing‑list checks, or forwarding to an unintended host, potentially exposing credentials or enabling further attacks. The flaw has the effect of undermining application controls that rely on the Host header for security decisions.

The vulnerable product is the PHP PSR‑7 HTTP message library guzzle/psr7. Versions older than 2.10.2 are affected. The legacy 1.x release chain is end‑of‑life and will not receive any patch. The vulnerability is triggered when an application processes attacker‑controlled raw HTTP requests via the functions GuzzleHttp\Psr7\Message::parseRequest() or the legacy GuzzleHttp\Psr7\parse_request(), or when it builds a server request from unchecked server variables.

The CVSS score of 5.3 indicates moderate risk. No EPSS data is available and the issue is not listed in the CISA KEV catalog. Because the vulnerability can be triggered by an external user sending a crafted HTTP request, the attack vector is remote. Exploitation requires that the application rely on the parsed URI host for routing, allow‑list checks, or forwarding and that the incoming request data are not trusted. Given these conditions, the likelihood of exploitation is limited to environments where the library is used to parse untrusted requests in a forwarding or gateway context.