CVE-2026-59882 in psr7
Summary
by MITRE • 07/08/2026
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability in guzzlehttp/psr7 affects the Uri::assertValidHost() method prior to version 2.12.3, creating a critical inconsistency between host validation and URI authority parsing. This flaw stems from inadequate input sanitization where the method fails to properly reject malicious host components that contain authority delimiters such as colons or at symbols, embedded ports that could be exploited for bypassing security checks, or malformed IPv6 address brackets that do not conform to standard formatting requirements. The root cause aligns with CWE-20, which addresses improper input validation, and specifically relates to improper handling of special characters in URI components.
When a URI contains maliciously crafted host data, the assertValidHost() method may accept these inputs while the getHost() method returns a different representation that conflicts with the actual authority portion used for security decisions. This discrepancy creates potential attack vectors where an application might route requests based on one host value while treating another as the authoritative source for access control or authentication purposes. The vulnerability essentially allows for host component manipulation that could be exploited to bypass security controls or manipulate routing logic, particularly in environments where URI parsing drives critical security decisions.
The operational impact of this vulnerability extends beyond simple parsing inconsistencies and creates real security risks in applications that rely on proper URI authority validation. Attackers could potentially craft malicious URIs that appear valid to one part of the system while being interpreted differently by other components, leading to potential path traversal attacks, unauthorized access to resources, or bypassing of authentication mechanisms. The issue particularly affects systems where URI authority is used for determining access rights, routing decisions, or security policy enforcement, making it a significant concern for web applications and API gateways that process user-supplied URLs.
Security mitigations for this vulnerability require updating to version 2.12.3 or later of the guzzlehttp/psr7 library where the Uri::assertValidHost() method properly validates host components against all authority delimiters, embedded ports, and IPv6 bracket formatting rules. Organizations should also implement additional input validation layers at application boundaries and conduct thorough security testing of URI handling code paths to ensure no other components are susceptible to similar issues. The fix addresses the core problem by ensuring consistency between host validation and authorization logic, preventing scenarios where different parts of the system interpret the same URI differently for security purposes. This vulnerability demonstrates the importance of maintaining strict input validation in HTTP libraries and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation, where improper handling of network communications can lead to privilege escalation or unauthorized access opportunities.