Guzzle is an extensible PHP HTTP client. Prior to version 7.12.1, the CookieJar component incorrectly accepts cookies whose Domain attribute consists of only a dot or contains whitespace padding. The SetCookie::matchesDomain() method removes leading dots, normalizing a dot-only domain to an empty string; SetCookie::validate() only rejects a strictly empty domain, allowing these cookies to be stored. The empty normalized domain then matches any request host, so an attacker-controlled origin that an application requests using a shared cookie jar can set a cookie that Guzzle will subsequently send to unrelated hosts using the same jar. This flaw enables cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. The issue is resolved in Guzzle 7.12.1.

The flaw affects the PHP HTTP client Guzzle, from vendors identified as guzzle:guzzle, for all releases prior to 7.12.1. Any application using Guzzle 7.x earlier than 7.12.1 and that shares a cookie jar across domains is potentially impacted.

The CVSS score of 5.8 places the vulnerability in the medium severity range. No EPSS score is published, so the exact likelihood of exploitation is uncertain, and it is not in the CISA KEV database. The main entry point is the application’s HTTP requests: if an attacker can dictate a request sent through a shared CookieJar, they can set a cookie that will be sent to any domain the jar serves. Successful exploitation could result in the injection of a cookie or session fixation against downstream services. No exotic prerequisites are required, indicating that the flaw can be widely exploited on affected installations.