CVE-2022-31090: Guzzle PHP HTTP Client Security Vulnerability In Handling 'Authorization' Headers In Redirects

Guzzle is a popular, extensible PHP HTTP client that allows you to send HTTP requests and is widely used in a variety of projects. Recently, a security vulnerability (CVE-2022-31090) has been identified in certain versions of Guzzle that can cause sensitive information leakage through mishandling of Authorization headers during redirects.

Vulnerability Details

In affected Guzzle versions, when using the Curl handler, you can use the CURLOPT_HTTPAUTH option to specify an Authorization header for a request. When the response for this request contains a redirect to a URI with a different origin (i.e., a change in host, scheme, or port), Guzzle should remove the CURLOPT_HTTPAUTH option before following the redirect. Failing to do so allows Curl to append the Authorization header to the new request, thus potentially exposing sensitive information to a different origin.

A partial fix was implemented in Guzzle v7.4.2, where a change in the host would trigger the removal of the Curl-added Authorization header. However, this fix did not cover changes in scheme or port, leaving the vulnerability open in certain scenarios.

Affected Versions and Mitigation

Affected users should update their Guzzle installations as soon as possible. If you are using Guzzle 7, you should upgrade to Guzzle 7.4.5. For those who are using earlier versions of Guzzle, you should update to either Guzzle 6.5.8 or 7.4.5.

Here is a sample code snippet demonstrating how to upgrade Guzzle using Composer

composer require guzzlehttp/guzzle:"^7.4.5"

In case your application does not require or expect to follow redirects, consider disabling the redirect entirely to bypass this vulnerability. To disable redirects in Guzzle, you can set the allow_redirects option to false when creating the client, as shown in the example below:

$client = new GuzzleHttp\Client([
    'allow_redirects' => false,
]);

Alternatively, you can opt to use the Guzzle Stream handler backend instead of Curl. To do so, set the handler option when creating the Guzzle client:

use GuzzleHttp\Handler\StreamHandler;
use GuzzleHttp\HandlerStack;

$stack = HandlerStack::create(new StreamHandler());

$client = new GuzzleHttp\Client([
    'handler' => $stack,
]);

For more information on this vulnerability, you can refer to the following resources

- Guzzle CVE-2022-31090 Security Advisory
- Guzzle Repository on GitHub
- Guzzle Documentation

Conclusion

The security vulnerability, CVE-2022-31090, in the handling of Authorization headers during redirects in Guzzle can lead to sensitive information leakage. It is essential for affected users to update their Guzzle installations and review their applications to mitigate this vulnerability and protect their applications from potential security breaches.

Timeline

Published on: 06/27/2022 22:15:00 UTC
Last modified on: 07/11/2022 13:31:00 UTC