Improper header name validation in guzzlehttp/psr7

Vulnerability

Overview

CVE-2023-29197 is an improper header parsing vulnerability in the guzzlehttp/psr7 library, a PSR-7 HTTP message implementation in PHP. The flaw arises from insufficient validation of header names and values, allowing an attacker to inject a newline character (\n) into header fields. While the HTTP specification (RFC 7230) mandates \r\n\r\n to terminate the header block, many real-world servers also accept \n\n, enabling this injection to bypass the original fix applied for CVE-2022-24775 [3][1].

Exploitation

Details

An attacker can exploit this vulnerability by crafting malicious HTTP requests or responses containing header names or values with embedded newlines. This injection can cause the recipient to misinterpret the boundaries between headers and the message body, potentially leading to request smuggling or response splitting. The attack requires no authentication and can be performed over standard HTTP connections, making it accessible to any network-level adversary [2].

Impact

Successful exploitation could allow an attacker to manipulate HTTP message parsing in PHP applications using the vulnerable library. This may lead to cache poisoning, cross-site scripting (XSS) in certain contexts, or bypassing security controls that rely on header integrity. The vulnerability has a CVSS v3.1 base score of 7.5 (High), reflecting the potential for significant impact without user interaction [3].

Mitigation

The issue has been patched in guzzlehttp/psr7 versions 1.9.1 and 2.4.5. Users are strongly advised to update immediately, as no known workarounds exist [3]. The project has also marked the 1.x branch as end-of-life (EOL) as of June 2024, emphasizing the need to migrate to version 2.x [2].