HTTP Multiline Header Termination Vulnerability

The package laminas/laminas-diactoros (Diactoros) is a PSR-7 HTTP Message and PSR-17 HTTP Message Factory implementation, providing HTTP request and response message representations both for making HTTP client requests and responding to HTTP requests server-side. Affected versions of Diactoros accepted a single line feed (LF / \n ) character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due to the header line being terminated too early. An attacker that is able to control the header names that are passed to Diactoros would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests.

Affected versions

The following versions of Diactoros were affected:

• <=2.18.0
• 2.19.0
• 2.20.0
• 2.21.0
• 2.22.0
• 2.23.0
• 2.24.0-2.24.1
• 2.25.0-2.25.1

Action Taken

We have provided a patch that modifies the validations of header names and values such that they now identify line feeds at the start and end of these strings, invalidating the values. The following new releases were made with this patch:

• 2.18.1
• 2.19.1
• 2.20.1
• 2.21.1
• 2.22.1
• 2.23.1
• 2.24.2
• 2.25.2

Mitigations

To mitigate this vulnerability without updating your libraries, you can pass header names and values accepted from user input to trim() prior to passing them to HTTP messages:

$response = $response->withHeader(trim($headerName), trim($headerValue));