Skip to main content

guzzlehttp/psr7 EUVDEUVD-2026-38458

| CVE-2026-55766 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-19 https://github.com/guzzle/psr7 GHSA-vm85-hxw5-5432
4.8
CVSS 3.1 · Vendor: https://github.com/guzzle/psr7
Share

Severity by source

Vendor (https://github.com/guzzle/psr7) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

Network-reachable without authentication (AV:N/PR:N), but AC:H reflects three mandatory concurrent preconditions; integrity and confidentiality limited to header-level manipulation with no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/guzzle/psr7).

CVSS VectorVendor: https://github.com/guzzle/psr7

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 15:51 vuln.today
Analysis Generated
Jun 19, 2026 - 15:51 vuln.today

DescriptionCVE.org

Impact

guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x, for example with Message::toString() or an equivalent serializer, the serialized message could contain attacker-controlled header lines. The issue can also be reached through Message::parseRequest() or Message::parseResponse() when malformed raw messages are parsed into first-party PSR-7 objects and then serialized again.

Creating or modifying a Request, Response, or other PSR-7 object alone is not sufficient. The issue requires the malformed message to be serialized and written to the network, forwarded, replayed, or otherwise processed by software that does not independently reject the malformed start line. This is not the normal request-sending path used by guzzlehttp/guzzle; applications using guzzlehttp/psr7 only through Guzzle's standard HTTP client APIs are not expected to be affected.

Applications are most likely to be affected when they manually serialize PSR-7 messages, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, testing, or similar code. Depending on how downstream HTTP/1.1 components parse the serialized message, this may lead to header injection, response splitting, request smuggling, or cache poisoning.

Patches

The issue is patched in 2.12.1 and later. Starting in that release, guzzlehttp/psr7 rejects CR/LF characters in HTTP method, protocol version, and response reason phrase values before storing them in first-party message objects.

Workarounds

If you cannot upgrade immediately, reject CR/LF in untrusted method, protocol version, and reason phrase values before constructing or modifying PSR-7 messages.

Applications that parse, forward, replay, or serialize raw HTTP messages cannot work around the parser entry points by validating only after parsing. They should validate the raw start line before calling Message::parseRequest() or Message::parseResponse(), avoid reparsing untrusted raw messages, or upgrade. If an application runs with attacker-controlled synthetic $_SERVER values, validate REQUEST_METHOD and SERVER_PROTOCOL before calling ServerRequest::fromGlobals().

AnalysisAI

CRLF injection in guzzlehttp/psr7 (all versions prior to 2.12.1) enables header injection, response splitting, request smuggling, or cache poisoning when attacker-controlled data reaches the HTTP start-line fields - request method, protocol version, or response reason phrase - and the resulting PSR-7 object is serialized to raw HTTP/1.x. The vulnerability is confined to the serialization pathway: standard Guzzle HTTP client usage is explicitly not affected, but proxies, crawlers, webhook delivery systems, and custom transports that call Message::toString(), Message::parseRequest(), or Message::parseResponse() and re-emit the raw bytes are at direct risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply CR/LF in HTTP method, version, or reason phrase
Delivery
Application stores value in PSR-7 object without sanitization
Exploit
Application serializes PSR-7 message to raw HTTP/1.x via Message::toString()
Execution
Injected CRLF creates synthetic header boundary in serialized bytes
Persist
Downstream HTTP parser interprets injected bytes as legitimate headers
Impact
Header injection, response splitting, smuggling, or cache poisoning achieved

Vulnerability AssessmentAI

Exploitation Exploitation requires all three of the following conditions to be simultaneously true. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) is defensible: network-reachable without authentication, but AC:H correctly captures the multiple concurrent preconditions required for exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a PHP webhook relay service sends an HTTP request with a crafted method string such as `GET X-Forwarded-For: attacker-host` to an endpoint that stores the method in a PSR-7 Request object and then forwards it by calling `Message::toString()` over a keep-alive connection to an upstream server. The upstream HTTP/1.1 parser, processing the serialized bytes, interprets the injected CRLF as a header boundary and treats `X-Forwarded-For: attacker-host` as a legitimate header, enabling header spoofing or, in a shared-connection context, request smuggling that desynchronizes the upstream parser and poisons the request queue for subsequent users. …
Remediation Upgrade guzzlehttp/psr7 to version 2.12.1 or later via `composer update guzzlehttp/psr7`; this is the vendor-confirmed fix that rejects CR/LF characters in HTTP method, protocol version, and reason phrase before storing them in PSR-7 message objects (vendor advisory: https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy