CVE-2022-24775 Guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing, which can be abused to inject untrusted values. The issue is patched.

CVE-2022-24775 Guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing, which can be abused to inject untrusted values. The issue is patched.

Another major issue with pugnace/psr7 is the lack of rate limiting. An attacker could make a large number of requests with crafted headers that would bypass rate limits and flood the victim’s server with requests. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. A last major issue with pugnace/psr7 is the lack of input sanitization. An attacker could pass any value to an input field in a request and the server would blindly echo that value back to the client. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

What’s the standard for PHP Error Codes?

In general, PHP error codes are used to give developers and administrators a quick way of troubleshooting errors in their code. For example, if an error occurs when processing the file uploads from the form, a developer could then run the following code:

Versioning and Deployment

Pugnace/PSR7 is not currently deployed by default. If you are using a package management tool like composer, the recommended deployment of pugnace/psr7 is to use it in dev mode. In production, deploy pugnace/psr7 with the --no-dev flag and configure your webserver to disallow requests from that IP address or domain.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe