7 matches found
CVE-2022-31043
CVE-2022-31043 affects the PHP HTTP client Guzzle . The vulnerability arises when a request uses HTTPS and the server redirects to an HTTP URI, causing the Authorization header to be forwarded when it should be stripped. Prior fixes removed the header for host changes but not for scheme changes, ...
CVE-2022-31042
Guzzle CVE-2022-31042 affects the handling of Cookie headers during redirects (https→http or host changes). The issue was fixed by stripping cookies on redirects and re-adding only safe cookies via the cookie middleware. Affected versions require upgrades: Guzzle 7 should move to 7.4.4 or later, ...
CVE-2022-31090
CVE-2022-31090 affects Guzzle (PHP HTTP client): when using the Curl handler, a request following a redirect to a different origin can keep the CURLOPT_HTTPAUTH-injected Authorization header, enabling potential exposure of sensitive credentials. Root cause: the Authorization header is not cleared...
CVE-2022-29248
Guzzle prior to 6.5.6 and 7.4.3 exposed a cookie-domain validation flaw in the cookie middleware: a response Set-Cookie header could set cookies for unrelated domains if the cookie middleware was enabled (or cookies => true) and the client reused a single Guzzle instance across domains. The co...
CVE-2022-31091
CVE-2022-31091 affects the Guzzle HTTP client. When following redirects that change port (or scheme/host), the request may inappropriately retain sensitive headers (Authorization, Cookie). The issue is that a redirect to a URI with a different port previously did not trigger header removal for sc...
CVE-2026-55568
Summary (CVE-2026-55568) : Guzzle’s built‑in cURL handlers (CurlHandler/CurlMultiHandler) can downgrade an https:// proxy to plaintext when using libcurl older than 7.50.2, exposing proxy credentials and the CONNECT host/port. The issue occurs if an https proxy is configured and the app runs with...
CVE-2026-55767
Summary: Guzzle 7.x before 7.12.1 is vulnerable to cookie domain handling flaws in CookieJar. dot-only Domain attributes (e.g., Domain=., Domain=.., or whitespace-padded variants) are normalized to an empty domain, and the code path that rejects only an empty domain still allows it to match any h...