Impact
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, the CookieJar component incorrectly accepts cookies whose Domain attribute consists of only a dot or contains whitespace padding. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.
Affected Systems
The flaw affects the PHP HTTP client Guzzle, from vendors identified as guzzle:guzzle, for all releases prior to 7.12.1. Any application using Guzzle 7.x earlier than 7.12.1 and that shares a cookie jar across domains is potentially impacted.
Risk and Exploitability
The CVSS score of 5.8 places the vulnerability in the medium severity range. No EPSS score is published, so the exact likelihood of exploitation is uncertain, and it is not in the CISA KEV database. The main entry point is the application’s HTTP requests: if an attacker can dictate a request sent through a shared CookieJar, they can set a cookie that will be sent to any domain the jar serves. Successful exploitation could result in the injection of a cookie or session fixation against downstream services. No exotic prerequisites are required, indicating that the flaw can be widely exploited on affected installations.
OpenCVE Enrichment
Github GHSA