Fluid Attacks Database

Description

Improper header name validation in guzzlehttp/psr7

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.9.1 and 2.4.5.

Workarounds

There are no known workarounds.

References

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	php-nyholm-psr7	=1.3.2-2 \|\| >=0 <1.3.2-2+deb11u1	1.3.2-2+deb11u1
debian 13	php-nyholm-psr7	>=0 <1.5.1-2	1.5.1-2
packagist	guzzlehttp/psr7	>=0 <1.9.1 \|\| >=2.0.0 <2.4.5	1.9.1, 2.4.5
debian 11	php-guzzlehttp-psr7	=1.7.0-1 \|\| =1.7.0-1+deb11u1 \|\| >=0 <1.7.0-1+deb11u2	1.7.0-1+deb11u2
debian 12	php-guzzlehttp-psr7	>=0 <2.4.5-1	2.4.5-1
debian 13	php-guzzlehttp-psr7	>=0 <2.4.5-1	2.4.5-1
debian 12	php-nyholm-psr7	>=0 <1.5.1-2	1.5.1-2
debian 14	php-guzzlehttp-psr7	>=0 <2.4.5-1	2.4.5-1
debian 14	php-nyholm-psr7	>=0 <1.5.1-2	1.5.1-2

Aliases

1. CVE-2023-291972. NVD-2023-291973. OSV-DEBIAN-2023-291974. OSV-2023-291975. GHSA-q7rv-6hp3-vh966. GHSA-wxmh-65f7-jcvw7. GCVE-2023-291978. SECURITY-TRACKER-CVE-2023-291979. lists.debian.org

References

1. https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh962. https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-247754. https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml5. https://lists.fedoraproject.org/archives/list/[email protected]/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF6. https://lists.fedoraproject.org/archives/list/[email protected]/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U7. https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4