Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
UI:N reassigned from provided vector - SSRF bypass via crafted URI requires no human interaction, only attacker-controlled input to an API endpoint; AC:H and C:L/I:L retained as appropriate for host-parsing desync with conditional exploitability.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3.
AnalysisAI
Host validation bypass in guzzlehttp/psr7 before 2.12.3 enables URI authority confusion attacks against PHP applications that rely on Uri::getHost() for security-critical decisions. The Uri::assertValidHost() method accepts host strings containing authority delimiters, embedded ports, or malformed IPv6 brackets, causing a semantic split where getHost() returns a sanitized value that disagrees with the actual URI authority used for routing - a classic CWE-436 interpretation conflict exploitable for SSRF allowlist bypass or host-based access control evasion. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: first, the target application must run guzzlehttp/psr7 prior to version 2.12.3; second, the application must use Uri::getHost() output - directly or indirectly - to make a security-relevant decision such as SSRF allowlist enforcement, host-based routing, or access policy validation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.2 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) correctly captures network reachability with meaningful constraints: AC:H reflects that exploitation depends on specific URI construction and application usage patterns, and UI:R suggests a user or upstream component must process the crafted URI. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a PHP application that uses guzzlehttp/psr7 to enforce an SSRF allowlist (e.g., permitting requests only to 'api.trusted.com') submits a crafted URL such as 'http://api.trusted.com@internal-service.corp/secret' to an endpoint that accepts user-supplied URLs. Uri::assertValidHost() accepts 'api.trusted.com@internal-service.corp' as valid, getHost() returns 'api.trusted.com' which passes the allowlist check, but the HTTP client routes the actual request to 'internal-service.corp', exposing internal services. … |
| Remediation | Upgrade guzzlehttp/psr7 to version 2.12.3 or later using Composer: run 'composer require guzzlehttp/psr7:^2.12.3' and verify the resolved version with 'composer show guzzlehttp/psr7'. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
CRLF injection in guzzlehttp/psr7 versions prior to 2.10.2 allows remote unauthenticated attackers to inject arbitrary H
Host confusion in guzzlehttp/psr7 (all versions prior to 2.10.2) allows unauthenticated network attackers to supply a ma
Same weakness CWE-436 – Interpretation Conflict
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42319