Impact
guzzlehttp/psr7 did not filter CR/LF characters in certain first‑party HTTP start‑line fields—request method, protocol version, and response reason phrase—before version 2.12.1. If an application injects attacker‑controlled data into any of these fields and later serializes the PSR‑7 message to a raw HTTP/1.x format, the resulting serialized text may include arbitrary header lines, enabling HTTP response splitting or other malleability attacks against downstream consumers of the message. This vulnerability can also be introduced through the Message::parseRequest() or Message::parseResponse() functions when malformed raw messages are parsed into PSR‑7 objects and then re‑serialized. Creation or modification of PSR‑7 objects alone does not trigger the flaw; the message must be serialized and transmitted to software that does not independently reject malformed start‑line characters. The vulnerability corresponds to CWE‑113 (HTTP Response Splitting) and CWE‑93 (Injection Through Data). The issue is fixed in 2.12.1.
Affected Systems
The vulnerability affects the guzzle http psr7 library in all releases older than 2.12.1. Any PHP application that incorporates this library and can place attacker-controlled values into the request method, protocol version, or response reason phrase—and subsequently serializes the message to the network—as well as code that writes PSR‑7 objects to other services.
Risk and Exploitability
The CVSS score of 4.8 denotes moderate severity. No EPSS score is available, so exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, exploitation requires the attacker to inject CR/LF characters into a start PSR‑7 object, and finally transmit the resulting raw HTTP text to a system that does not independently reject malformed start lines. The risk is elevated for applications that expose PSR‑7 serialization to external input or that forward serialized requests or responses to untrusted networks.
OpenCVE Enrichment
Github GHSA