Skip to main content

Guzzle HTTP Client CVE-2026-55767

| EUVDEUVD-2026-38457 MEDIUM
Origin Validation Error (CWE-346)
2026-06-19 https://github.com/guzzle/guzzle GHSA-cwxw-98qj-8qjx
5.8
CVSS 3.1 · Vendor: https://github.com/guzzle/guzzle
Share

Severity by source

Vendor (https://github.com/guzzle/guzzle) PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
vuln.today AI
5.8 MEDIUM

Network-delivered attack with no credentials required; scope changes as injected cookies transit to downstream trusted services; integrity impact is limited (cookie injection only, no direct data modification).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (https://github.com/guzzle/guzzle).

CVSS VectorVendor: https://github.com/guzzle/guzzle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 15:53 vuln.today
Analysis Generated
Jun 19, 2026 - 15:53 vuln.today

DescriptionCVE.org

Impact

CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host.

An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. Applications are affected when they use Guzzle's cookie support, for example new Client(['cookies' => true]) or an explicit shared CookieJar, and reuse the same jar across attacker-controlled and trusted origins.

Applications that do not use Guzzle's cookie support, or that use separate cookie jars per origin or trust boundary, are not affected. This issue is distinct from public suffix list validation: dot-only domains contain no domain label and should not match unrelated hosts.

Patches

The issue is patched in 7.12.1 and later. Starting in that release, Guzzle rejects dot-only cookie Domain attributes and prevents an empty normalized cookie domain from matching any request host.

Workarounds

If you cannot upgrade immediately, do not reuse the same CookieJar instance across untrusted and trusted origins. Use separate cookie jars per origin or trust boundary, or disable cookie handling for requests to untrusted hosts.

Avoid using new Client(['cookies' => true]) for clients that may contact unrelated hosts with different trust levels, because that option creates one shared jar for the client.

AnalysisAI

Cookie domain validation in guzzlehttp/guzzle before 7.12.1 allows cross-origin cookie injection when a shared CookieJar contacts both attacker-controlled and trusted hosts. The flaw stems from SetCookie::matchesDomain() normalizing dot-only Domain values (e.g., 'Domain=.', 'Domain=..') to an empty string, while SetCookie::validate() only rejected strictly empty domains - meaning normalized-empty domains were stored and silently treated as matching every request host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker operates or compromises third-party HTTP server
Delivery
Victim PHP app contacts attacker server using shared CookieJar
Exploit
Server responds with Set-Cookie using dot-only Domain attribute
Install
Guzzle normalizes domain to empty string, bypasses validate(), stores cookie
C2
App makes subsequent request to trusted downstream service
Execute
Injected cookie sent to trusted host
Impact
Session fixation or unauthorized cookie injection achieved

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the application uses Guzzle's cookie support, either via new Client(['cookies' => true]) or by passing an explicit CookieJar instance to the client constructor; (2) the same CookieJar instance is reused across HTTP requests to both an attacker-reachable origin (a server the attacker controls or can respond from) and at least one trusted origin that will accept the injected cookie; (3) the attacker-controlled server issues a Set-Cookie header with a dot-only Domain attribute such as Domain=., Domain=.., or a whitespace-padded variant like Domain= . … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N) reflects a network-reachable, low-complexity attack with scope change into downstream systems, producing limited integrity impact via cookie injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A PHP application aggregates data from multiple third-party REST APIs using a single Guzzle client configured with new Client(['cookies' => true]). An attacker who controls one of those third-party endpoints - or who can compromise or spoof one - responds with Set-Cookie: authtoken=attacker_value; Domain=. …
Remediation The primary fix is to upgrade guzzlehttp/guzzle to version 7.12.1 or later via Composer (composer require guzzlehttp/guzzle:^7.12.1); this release both rejects dot-only Domain attributes at ingestion time and prevents an empty normalized domain from matching any host. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy