guzzlehttp/psr7 is vulnerable to HTTP Request Smuggling. The vulnerability exists in assertHeader
function of MessageTrait.php
due to improper header parsing which allows an attacker to sneak in a newline (\n) into both the header name and value, resulting in HTTP cache poisoning and phishing attacks.
cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775
github.com/guzzle/psr7/commit/0454e12ef0cd597ccd2adb036f7bda4e7fface66
github.com/guzzle/psr7/commit/18fd8915823bd9ca4156e84849e18970057dc7e4
github.com/guzzle/psr7/pull/556
github.com/guzzle/psr7/pull/557
github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
lists.debian.org/debian-lts-announce/2023/12/msg00028.html
lists.fedoraproject.org/archives/list/[email protected]/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/
lists.fedoraproject.org/archives/list/[email protected]/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/
www.rfc-editor.org/rfc/rfc7230#section-3.2.4