CVE-2023-29197 - guzzlehttp/psr7 Improper Header Parsing Could Allow Header Injection Attacks

guzzlehttp/psr7 is a popular PHP library that provides an implementation of the PSR-7 HTTP message interface. However, affected versions of this library are vulnerable to improper header parsing that might allow an attacker to sneak in a newline ("\n") character into both the header names and values, leading to potential security issues.

This vulnerability is related to the earlier issue tracked as CVE-2022-24775, but it has been discovered that the fix provided was incomplete. The issue has now been patched in versions 1.9.1 and 2.4.5. It is strongly recommended to update to the patched versions to secure your application from potential attacks.

The Vulnerability

guzzlehttp/psr7 suffers from a weakness where it allows newline characters to be injected into header names and values. This may permit an attacker to perform header injection and smuggling attacks. The PSR-7 specification states that the header list should be terminated using "\r\n\r\n"; however, it has been discovered that many servers will also accept "\n\n" as a valid termination sequence.

An attacker could exploit this vulnerability by crafting maliciously formed HTTP requests containing newline characters in the header values, potentially leading to security issues like response splitting, information disclosure, or bypassing security controls.

Below is a simple example of creating a request using guzzlehttp/psr7 that demonstrates the vulnerability in action:

<?php
require 'vendor/autoload.php';

use GuzzleHttp\Psr7\Request;

$headerName = "X-Custom-Header";
$headerValue = "legitimate_value\nContent-Length: \n\nContent-Type: text/html";

$request = new Request("GET", "https://example.com";, [$headerName => $headerValue]);
echo $request->getHeaderLine($headerName);
// Output: legitimate_value\nContent-Length: \n\nContent-Type: text/html
?>

Affected Versions

All versions of guzzlehttp/psr7 before 1.9.1 and 2.4.5 are susceptible to this vulnerability.

Mitigation

The only known solution for this issue is to upgrade guzzlehttp/psr7 to versions 1.9.1 or 2.4.5 depending on the major version you are using. No workarounds have been identified at this time.

To upgrade, simply update your composer.json file and run composer update

{
    "require": {
        "guzzlehttp/psr7": "^1.9.1 || ^2.4.5"
    }
}

References & Credits

- guzzlehttp/psr7 GitHub Repository
- PSR-7: HTTP message interfaces
- CVE-2022-24775 Follow-Up Fix in 1.9.1 version
- CVE-2022-24775 Follow-Up Fix in 2.4.5 version

The discovery and investigation of this vulnerability are credited to the developers and security researchers involved in identifying and addressing the issue, as well as the maintainers of guzzlehttp/psr7 for their prompt response and patching efforts.

Timeline

Published on: 04/17/2023 22:15:00 UTC
Last modified on: 05/03/2023 18:12:00 UTC