Improper Input Validation in guzzlehttp/psr7
Description
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper header parsing in guzzlehttp/psr7 before 1.8.4 and 2.1.1 allows an attacker to inject newline characters and pass untrusted header values.
Vulnerability
The guzzlehttp/psr7 PSR-7 HTTP message library versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a newline character (CR or LF) into header values, allowing untrusted data to be injected into HTTP headers [3]. The library did not validate that header values conform to RFC 7230 section 3.2.4, which specifies that only visible ASCII characters and spaces/tabs are allowed in field values [1]. The fix was implemented in commit 9a96d9db668b485361ed9de7b5bf1e54895df1dc [4].
Exploitation
An attacker who can control header values passed to the library (e.g., by manipulating user input that is later used as a header value in an HTTP request or response) can inject a newline character (\n or \r\n). No special network position is required beyond the ability to supply the header value; this could be a user or another process passing untrusted input to guzzlehttp/psr7. The attacker does not require authentication if the application accepts untrusted header input. The sequence is: the attacker crafts a payload containing a newline and further header lines, which the library then places into the outgoing message [3].
Impact
Successful exploitation leads to HTTP header injection. Depending on how the header is used downstream, this can result in request smuggling, response splitting, cache poisoning, or cross-site scripting (if the header is reflected). The attacker may be able to bypass security controls or perform actions with the privilege of the affected server or client [3]. The CIA impact is primarily integrity and availability (via cache poisoning or request smuggling), with potential confidentiality breaches.
Mitigation
The issue is patched in versions 1.8.4 and 2.1.1, both released in March 2022 [3]. Users should upgrade immediately. The 1.x branch is now end-of-life (EOL) as of 2024-06-30 [2]; users on 1.x are strongly encouraged to migrate to the 2.x series. There are currently no known workarounds [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
guzzlehttp/psr7Packagist | < 1.8.4 | 1.8.4 |
guzzlehttp/psr7Packagist | >= 2.0.0, < 2.1.1 | 2.1.1 |
Affected products
3- osv-coords2 versions
>= 8.0.0, < 9.2.16+ 1 more
- (no CPE)range: >= 8.0.0, < 9.2.16
- (no CPE)range: < 1.8.4
- guzzle/psr7v5Range: < 1.8.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-q7rv-6hp3-vh96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24775ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yamlghsaWEB
- github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1ghsax_refsource_MISCWEB
- github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dcghsax_refsource_MISCWEB
- github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96ghsax_refsource_CONFIRMWEB
- www.drupal.org/sa-core-2022-006ghsax_refsource_CONFIRMWEB
- www.rfc-editor.org/rfc/rfc7230ghsaWEB
News mentions
0No linked articles in our index yet.