Description
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to construct a PSR-7 `Uri` or `Request`. Third, the host component contains CRLF or another header-unsafe character. Fourth, the host is copied into the PSR-7 `Host` header when no explicit `Host` header is provided. Finally, the request is serialized or sent by an HTTP client that does not independently reject the malformed host. In that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing `"\r\nX-Injected: yes"` can cause the generated `Host` header to span multiple HTTP header lines. Applications are affected when they use user-controlled URLs for outbound HTTP requests, URL forwarding, proxying, crawling, webhook delivery, or similar request-dispatch flows. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request. The issue is patched in `2.10.2` and later. `1.x` is end-of-life and will not receive a patch. As a workaround, validate and reject all untrusted URI strings before constructing PSR-7 `Uri` or `Request` instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters. Applications that forward requests should also ensure the final HTTP client or serializer rejects invalid URI and header data before writing requests to the network.
Published: 2026-06-11
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from guzzlehttp/psr7 accepting ASCII control characters, whitespace, or DEL in the host component of a first‑party URI. When an application uses a user‑controlled URL to construct a PSR‑7 Uri or Request, the host is copied into the Host header if no explicit header is supplied. An attacker can craft a host such as "\r\nX-Injected: yes", causing the serialized request to contain additional header lines. This flaw permits arbitrary HTTP header injection, which can lead to request smuggling, cache poisoning, or unintended request behavior in downstream proxies and load balancers.

Affected Systems

The issue affects the guzzlehttp/psr7 package before version 2.10.2. Versions 1.x are end of life and will not receive a fix. Any PHP application that constructs PSR‑7 requests from user input and then forwards or proxies the request via guzzle is potentially affected.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. The EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, implying no confirmed public exploits. Exploitation requires the application to accept a malicious URL and to send the resulting PSR‑7 request without additional validation. While the attack vector is inferred, applications that aggressively use outbound HTTP clients or perform URL forwarding face higher risk, especially in environments with HTTP/1.1 reuse, proxies, or gateways where smuggling or cache poisoning could be leveraged.

Generated by OpenCVE AI on June 11, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade guzzlehttp/psr7 to version 2.10.2 or later – this version contains the vendor‑supplied fix; note that 1.x is no longer supported
  • Sanitize all user‑controlled URLs before constructing a PSR‑7 instance by rejecting CRLF, whitespace, tab, space, NUL, DEL, and other header‑unsafe characters
  • Configure downstream HTTP clients or serializers to reject malformed host and header data, ensuring they perform validation before sending requests to the network

Generated by OpenCVE AI on June 11, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hq7v-mx3g-29hw guzzlehttp/psr7 has CRLF Injection via URI Host Component
History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to construct a PSR-7 `Uri` or `Request`. Third, the host component contains CRLF or another header-unsafe character. Fourth, the host is copied into the PSR-7 `Host` header when no explicit `Host` header is provided. Finally, the request is serialized or sent by an HTTP client that does not independently reject the malformed host. In that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing `"\r\nX-Injected: yes"` can cause the generated `Host` header to span multiple HTTP header lines. Applications are affected when they use user-controlled URLs for outbound HTTP requests, URL forwarding, proxying, crawling, webhook delivery, or similar request-dispatch flows. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request. The issue is patched in `2.10.2` and later. `1.x` is end-of-life and will not receive a patch. As a workaround, validate and reject all untrusted URI strings before constructing PSR-7 `Uri` or `Request` instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters. Applications that forward requests should also ensure the final HTTP client or serializer rejects invalid URI and header data before writing requests to the network.
Title guzzlehttp/psr7 has CRLF Injection via URI Host Component
Weaknesses CWE-113
CWE-20
CWE-93
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T12:47:51.084Z

Reserved: 2026-05-28T03:42:34.341Z

Link: CVE-2026-49214

cve-icon Vulnrichment

Updated: 2026-06-11T12:47:47.580Z

cve-icon NVD

Status : Received

Published: 2026-06-11T13:16:33.300

Modified: 2026-06-11T13:16:33.300

Link: CVE-2026-49214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T13:30:15Z

Weaknesses
  • CWE-113

    Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

  • CWE-20

    Improper Input Validation

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')