Lucene search
K
GuzzlephpGuzzle

7 matches found

CVE
CVE
added 2022/06/09 12:0 a.m.143 views

CVE-2022-31043

CVE-2022-31043 affects the PHP HTTP client Guzzle . The vulnerability arises when a request uses HTTPS and the server redirects to an HTTP URI, causing the Authorization header to be forwarded when it should be stripped. Prior fixes removed the header for host changes but not for scheme changes, ...

7.5CVSS7.5AI score0.0182EPSS
CVE
CVE
added 2022/06/09 12:0 a.m.137 views

CVE-2022-31042

Guzzle CVE-2022-31042 affects the handling of Cookie headers during redirects (https→http or host changes). The issue was fixed by stripping cookies on redirects and re-adding only safe cookies via the cookie middleware. Affected versions require upgrades: Guzzle 7 should move to 7.4.4 or later, ...

7.5CVSS7.6AI score0.0182EPSS
CVE
CVE
added 2022/06/27 12:0 a.m.136 views

CVE-2022-31090

CVE-2022-31090 affects Guzzle (PHP HTTP client): when using the Curl handler, a request following a redirect to a different origin can keep the CURLOPT_HTTPAUTH-injected Authorization header, enabling potential exposure of sensitive credentials. Root cause: the Authorization header is not cleared...

7.7CVSS7.4AI score0.01762EPSS
CVE
CVE
added 2022/05/25 12:0 a.m.132 views

CVE-2022-29248

Guzzle prior to 6.5.6 and 7.4.3 exposed a cookie-domain validation flaw in the cookie middleware: a response Set-Cookie header could set cookies for unrelated domains if the cookie middleware was enabled (or cookies => true) and the client reused a single Guzzle instance across domains. The co...

8.1CVSS7.8AI score0.01239EPSS
CVE
CVE
added 2022/06/27 12:0 a.m.118 views

CVE-2022-31091

CVE-2022-31091 affects the Guzzle HTTP client. When following redirects that change port (or scheme/host), the request may inappropriately retain sensitive headers (Authorization, Cookie). The issue is that a redirect to a URI with a different port previously did not trigger header removal for sc...

7.7CVSS7.5AI score0.0138EPSS
CVE
CVE
added 2026/06/23 2:54 p.m.65 views

CVE-2026-55568

Summary (CVE-2026-55568) : Guzzle’s built‑in cURL handlers (CurlHandler/CurlMultiHandler) can downgrade an https:// proxy to plaintext when using libcurl older than 7.50.2, exposing proxy credentials and the CONNECT host/port. The issue occurs if an https proxy is configured and the app runs with...

5.9CVSS5.9AI score0.00106EPSS
CVE
CVE
added 2026/06/23 3:5 p.m.19 views

CVE-2026-55767

Summary: Guzzle 7.x before 7.12.1 is vulnerable to cookie domain handling flaws in CookieJar. dot-only Domain attributes (e.g., Domain=., Domain=.., or whitespace-padded variants) are normalized to an empty domain, and the code path that rejects only an empty domain still allows it to match any h...

5.8CVSS5.9AI score0.00111EPSS