Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Network-delivered attack with no credentials required; scope changes as injected cookies transit to downstream trusted services; integrity impact is limited (cookie injection only, no direct data modification).
Primary rating from Vendor (https://github.com/guzzle/guzzle).
CVSS VectorVendor: https://github.com/guzzle/guzzle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host.
An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. Applications are affected when they use Guzzle's cookie support, for example new Client(['cookies' => true]) or an explicit shared CookieJar, and reuse the same jar across attacker-controlled and trusted origins.
Applications that do not use Guzzle's cookie support, or that use separate cookie jars per origin or trust boundary, are not affected. This issue is distinct from public suffix list validation: dot-only domains contain no domain label and should not match unrelated hosts.
Patches
The issue is patched in 7.12.1 and later. Starting in that release, Guzzle rejects dot-only cookie Domain attributes and prevents an empty normalized cookie domain from matching any request host.
Workarounds
If you cannot upgrade immediately, do not reuse the same CookieJar instance across untrusted and trusted origins. Use separate cookie jars per origin or trust boundary, or disable cookie handling for requests to untrusted hosts.
Avoid using new Client(['cookies' => true]) for clients that may contact unrelated hosts with different trust levels, because that option creates one shared jar for the client.
AnalysisAI
Cookie domain validation in guzzlehttp/guzzle before 7.12.1 allows cross-origin cookie injection when a shared CookieJar contacts both attacker-controlled and trusted hosts. The flaw stems from SetCookie::matchesDomain() normalizing dot-only Domain values (e.g., 'Domain=.', 'Domain=..') to an empty string, while SetCookie::validate() only rejected strictly empty domains - meaning normalized-empty domains were stored and silently treated as matching every request host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the application uses Guzzle's cookie support, either via new Client(['cookies' => true]) or by passing an explicit CookieJar instance to the client constructor; (2) the same CookieJar instance is reused across HTTP requests to both an attacker-reachable origin (a server the attacker controls or can respond from) and at least one trusted origin that will accept the injected cookie; (3) the attacker-controlled server issues a Set-Cookie header with a dot-only Domain attribute such as Domain=., Domain=.., or a whitespace-padded variant like Domain= . … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N) reflects a network-reachable, low-complexity attack with scope change into downstream systems, producing limited integrity impact via cookie injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A PHP application aggregates data from multiple third-party REST APIs using a single Guzzle client configured with new Client(['cookies' => true]). An attacker who controls one of those third-party endpoints - or who can compromise or spoof one - responds with Set-Cookie: authtoken=attacker_value; Domain=. … |
| Remediation | The primary fix is to upgrade guzzlehttp/guzzle to version 7.12.1 or later via Composer (composer require guzzlehttp/guzzle:^7.12.1); this release both rejects dot-only Domain attributes at ingestion time and prevents an empty normalized domain from matching any host. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38457
GHSA-cwxw-98qj-8qjx