CVE-2023-30536

Name of the Vulnerable Software and Affected Versions slim/psr7 versions prior to 1.6.1

Description The issue allows an attacker to sneak in a newline ( ) into both the header names and values. Although the specification states that r r is used to terminate the header list, many servers also accept `

`. This could enable an attacker to craft invalid messages, potentially causing application errors or invalid HTTP requests being sent out with a PSR-18 HTTP client. The latter might present a denial of service vector if a remote service's web application firewall bans the application due to the receipt of malformed requests.

Recommendations For versions prior to 1.6.1, upgrade to version 1.6.1 to resolve the issue. As a temporary workaround, consider restricting the input of header names to prevent the introduction of newlines ( ) until the upgrade is applied.