Description
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
Published: 2026-06-23
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A client-side TLS misconfiguration in the Guzzle PHP HTTP client allows traffic that should be protected by TLS to a proxy to be transmitted in cleartext when the underlying libcurl library is older than 7.50.2; an https:// proxy URL is silently treated as an http:// proxy, preventing the establishment of a TLS session. As a result, proxy authentication credentials sent in the Proxy-Authorization header, userinfo, or CURLOPT_PROXYUSERPWD, as well as the CONNECT request that specifies the target host and port for tunneled HTTPS connections, are exposed over the network. This flaw corresponds to CWE-311, CWE-319, and CWE-636, indicating the loss of encryption for sensitive data and indirect leakage of information.

Affected Systems

PHP applications that use the guzzle:guzzle library before version 7.12.1 and employ the built-in cURL handlers with a libcurl older than 7.50.2 to connect to an https:// proxy. Those environments are at risk if the proxy URL is configured for TLS but the underlying libcurl silently downgrades it to unencrypted HTTP.

Risk and Exploitability

The CVSS score of 5.9 marks the vulnerabilitySS score is not available; it is also not listed in the CISA KEV catalog. Exploitation requires an attacker to be able to observe or sniff the client‑to‑proxy link, which does not require elevated privileges or code execution. An attacker placed on the network path can capture the unencrypted Proxy-Authorization header and CONNECT request, gaining cleartext credentials and details of the target host, thereby enabling credential-based attacks or traffic snooping, but giving no direct code execution or denial-of-service capability.

Generated by OpenCVE AI on June 23, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Guzzle to version 7.12.1 or newer.
  • Upgrade the underlying libcurl library to 7.50.2 or later to eliminate the silent downgrade.
  • If an upgrade cannot be performed immediately, reconfigure the proxy to use a plain http:// URL or disable proxy usage so that no encrypted proxy credentials are transmitted.

Generated by OpenCVE AI on June 23, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wpwq-4j6v-78m3 guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext
History

Tue, 23 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
Title Guzzle: Silent HTTPS-Proxy Downgrade to Cleartext
Weaknesses CWE-311
CWE-319
CWE-636
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:44:40.427Z

Reserved: 2026-06-16T23:11:20.214Z

Link: CVE-2026-55568

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T22:15:04Z

Weaknesses
  • CWE-311

    Missing Encryption of Sensitive Data

  • CWE-319

    Cleartext Transmission of Sensitive Information

  • CWE-636

    Not Failing Securely ('Failing Open')