7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
30.9%
The package laminas/laminas-diactoros (Diactoros) is a PSR-7 HTTP Message and PSR-17 HTTP Message Factory implementation, providing HTTP request and response message representations both for making HTTP client requests and responding to HTTP requests server-side. Affected versions of Diactoros accepted a single line feed (LF / \n
) character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due to the header line being terminated too early. An attacker that is able to control the header names that are passed to Diactoros would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote serviceβs web application firewall bans the application due to the receipt of malformed requests.
The following versions of Diactoros were affected:
We have provided a patch that modifies the validations of header names and values such that they now identify line feeds at the start and end of these strings, invalidating the values. The following new releases were made with this patch:
To mitigate this vulnerability without updating your libraries, you can pass header names and values accepted from user input to trim()
prior to passing them to HTTP messages:
$response = $response->withHeader(trim($headerName), trim($headerValue));