CVE-2022-24775 in psr7
Summary
by MITRE • 03/21/2022
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/22/2025
The vulnerability identified as CVE-2022-24775 affects the guzzlehttp/psr7 library, which serves as a fundamental component in PHP applications for handling PSR-7 HTTP messages. This library is widely adopted across the PHP ecosystem for its robust implementation of HTTP message interfaces, making it a critical dependency for web applications, APIs, and microservices. The flaw manifests in the library's header parsing mechanism, where insufficient validation allows malicious input to bypass security controls. The vulnerability specifically targets the library versions prior to 1.8.4 and 2.1.1, indicating a long-standing issue that required significant attention from the maintainers to resolve properly.
The technical implementation of this vulnerability stems from improper handling of newline characters within HTTP header values. When the library processes untrusted input containing newline characters, it fails to sanitize these sequences properly, allowing attackers to inject additional headers or manipulate existing ones. This behavior creates a parsing inconsistency where legitimate header values can be corrupted or extended with malicious content, potentially leading to header injection attacks. The flaw operates at the application layer and directly impacts how HTTP headers are interpreted and processed within PHP applications that rely on this library for message handling.
From an operational perspective, this vulnerability presents significant risks to web applications that depend on the guzzlehttp/psr7 library for HTTP communication. Attackers could exploit this weakness to inject malicious headers, potentially redirecting traffic, manipulating authentication mechanisms, or bypassing security controls. The impact extends beyond simple header manipulation as it could enable more sophisticated attacks such as cache poisoning, cross-site scripting vector exploitation, or session hijacking attempts. Applications using vulnerable versions may experience data integrity issues, unauthorized access, or potential service disruption, making this a critical concern for security-conscious organizations.
The fix implemented in versions 1.8.4 and 2.1.1 addresses the core parsing issue through enhanced input validation and proper sanitization of header values. This remediation aligns with industry best practices for preventing header injection vulnerabilities, which are commonly categorized under CWE-117 in the Common Weakness Enumeration system. Organizations should prioritize updating their dependencies to the patched versions, as no effective workarounds exist for this particular vulnerability. The solution demonstrates the importance of maintaining up-to-date dependencies and implementing robust input validation mechanisms, particularly when handling untrusted data in HTTP contexts. Security teams should conduct comprehensive audits of their PHP applications to identify all instances of the vulnerable library versions and ensure complete remediation across their infrastructure.