CVE-2023-29197

HIGH EPSS 64.8%
Published Apr 17, 20233y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Apr 17, 2023 3y ago
Last Modified Jun 17, 2026 2w ago

Description

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
64.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-436

Affected Products 4

VendorProductVersionRange
guzzlephppsr-7* <1.9.1
guzzlephppsr-7*≥2.0.0  –  <2.4.5
fedoraprojectfedora37any
fedoraprojectfedora38any

References 7

  • cve.mitre.org https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775
    Not Applicable
  • github.com https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
    Not Applicable
  • github.com https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
    Vendor Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/
    Mailing ListThird Party Advisory
  • rfc-editor.org https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
    Technical Description

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.