Impact
Guzzle is a PHP HTTP client. Versions earlier than 7.12.1 can incorrectly handle https:// proxies when the underlying libcurl is older than 7.50.2, resulting in a silent downgrade to plain HTTP. This leads to the transmission of proxy credentials and CONNECT headers in cleartext, exposing authentication data and connection details. The weakness is a cryptographic confidentiality flaw (CWE-311, CWE-319) and a protocol downgrade issue (CWE-636). The impact is the disclosure of sensitive credentials and connection details, but it does not enable code execution or denial‑of‑service.
Affected Systems
The issue affects PHP applications using guzzle:guzzle versions prior to 7.12.1, configured with the default cURL handlers and an https:// proxy, when the running libcurl library is older than 7.50.2. If these conditions are met, the client will send credentials and CONNECT requests unencrypted to the proxy.
Risk and Exploitability
The CVSS score of 5.9 shows moderate severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. An attacker positioned on the network path between the client and the proxy could observe the cleartext Proxy-Authorization header and CONNECT request, thereby stealing credentials and monitoring the request destination. The vulnerability does not provide a direct code‑execution or denial‑of‑service vector; it primarily enables credential and traffic disclosure.
OpenCVE Enrichment
Github GHSA