Skip to main content

guzzlehttp/psr7 CVE-2026-59882

| EUVDEUVD-2026-42319 MEDIUM
Interpretation Conflict (CWE-436)
2026-07-08 GitHub_M
4.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

UI:N reassigned from provided vector - SSRF bypass via crafted URI requires no human interaction, only attacker-controlled input to an API endpoint; AC:H and C:L/I:L retained as appropriate for host-parsing desync with conditional exploitability.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 18:02 EUVD
Analysis Generated
Jul 08, 2026 - 17:20 vuln.today

DescriptionCVE.org

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3.

AnalysisAI

Host validation bypass in guzzlehttp/psr7 before 2.12.3 enables URI authority confusion attacks against PHP applications that rely on Uri::getHost() for security-critical decisions. The Uri::assertValidHost() method accepts host strings containing authority delimiters, embedded ports, or malformed IPv6 brackets, causing a semantic split where getHost() returns a sanitized value that disagrees with the actual URI authority used for routing - a classic CWE-436 interpretation conflict exploitable for SSRF allowlist bypass or host-based access control evasion. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted URI with malformed host to application endpoint
Delivery
Uri::assertValidHost() accepts authority-delimiter-embedded host
Exploit
Uri::getHost() returns sanitized host fragment
Execution
Application security check passes against allowlist
Persist
HTTP client routes request using full URI authority
Impact
Internal or restricted service responds to attacker-influenced request

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: first, the target application must run guzzlehttp/psr7 prior to version 2.12.3; second, the application must use Uri::getHost() output - directly or indirectly - to make a security-relevant decision such as SSRF allowlist enforcement, host-based routing, or access policy validation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.2 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) correctly captures network reachability with meaningful constraints: AC:H reflects that exploitation depends on specific URI construction and application usage patterns, and UI:R suggests a user or upstream component must process the crafted URI. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a PHP application that uses guzzlehttp/psr7 to enforce an SSRF allowlist (e.g., permitting requests only to 'api.trusted.com') submits a crafted URL such as 'http://api.trusted.com@internal-service.corp/secret' to an endpoint that accepts user-supplied URLs. Uri::assertValidHost() accepts 'api.trusted.com@internal-service.corp' as valid, getHost() returns 'api.trusted.com' which passes the allowlist check, but the HTTP client routes the actual request to 'internal-service.corp', exposing internal services. …
Remediation Upgrade guzzlehttp/psr7 to version 2.12.3 or later using Composer: run 'composer require guzzlehttp/psr7:^2.12.3' and verify the resolved version with 'composer show guzzlehttp/psr7'. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59882 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy