Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13eG1oLTY1ZjctamN2d84AAy3w

Improper header name validation in guzzlehttp/psr7

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.9.1 and 2.4.5.

Workarounds

There are no known workarounds.

References

Permalink: https://github.com/advisories/GHSA-wxmh-65f7-jcvw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13eG1oLTY1ZjctamN2d84AAy3w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 12 months ago


CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Percentage: 0.00318
EPSS Percentile: 0.70073

Identifiers: GHSA-wxmh-65f7-jcvw, CVE-2023-29197
References: Repository: https://github.com/guzzle/psr7
Blast Radius: 29.4

Affected Packages

packagist:guzzlehttp/psr7
Dependent packages: 2,658
Dependent repositories: 357,073
Downloads: 783,897,229 total
Affected Version Ranges: >= 2.0.0, < 2.4.5, < 1.9.1
Fixed in: 2.4.5, 1.9.1
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4
All unaffected versions: 1.9.1, 2.4.5, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0