cbcvebase.

Guzzle Psr7 vulnerabilities

4 known vulnerabilities affecting guzzle/psr7.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2022-24775P3HIGHCVSS 7.5fixed in 1.9.1v>= 2.0.0, < 2.4.52022-03-21
CVE-2022-24775 [HIGH] CWE-20 CVE-2022-24775: guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
nvd
CVE-2026-48998P4MEDIUMCVSS 5.3fixed in 2.10.22026-06-11
CVE-2026-48998 [MEDIUM] CWE-20 CVE-2026-48998: guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 cont guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `trusted.example@evil.
nvd
CVE-2026-49214P4MEDIUMCVSS 5.3fixed in 2.10.22026-06-11
CVE-2026-49214 [MEDIUM] CWE-20 CVE-2026-49214: guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to construct a PSR-7 `Uri` or `Request`. Third, the host compo
nvd
CVE-2026-55766P4MEDIUMCVSS 4.8fixed in 2.12.12026-06-23
CVE-2026-55766 [MEDIUM] CWE-93 CVE-2026-55766: guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/p guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR
nvd
Guzzle Psr7 vulnerabilities | cvebase