Edorian

**Name of the Vulnerable Software and Affected Versions** jmespath.php versions prior to 2.9.1 **Description** Insufficient escaping of parsed JMESPath function names into generated PHP source allows for the generation and execution of attacker-controlled PHP code. This occurs when `JmesPathCompilerRuntime` is used with a crafted JMESPath expression, causing the generated cache file to contain executable code that is subsequently loaded by the compiler runtime. **Recommendations** Update to version 2.9.1 or later. Disable `JP PHP COMPILE` as a temporary workaround. Avoid using `JmesPathCompilerRuntime` with attacker-controlled expressions and use the default `AstRuntime` for untrusted expressions instead.

**Name of the Vulnerable Software and Affected Versions** guzzlehttp/psr7 versions prior to 2.10.2 **Description** Improper Host header validation occurs when parsing raw HTTP request messages or deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `trusted.example@evil.example`. When this value is used to construct a URI, it can be reinterpreted as URI userinfo and host, causing the resulting request URI host to differ from the original Host header. This affects applications using the `GuzzleHttpPsr7Message::parseRequest()` function, the legacy `GuzzleHttpPsr7parse request()` function, or those building server requests from attacker-controlled server variables that rely on the URI host for routing, allow-list checks, or forwarding. In gateway or forwarding scenarios, this may lead to requests or credentials being sent to an unintended host. **Recommendations** Update to version 2.10.2. As a temporary workaround, validate the `Host` header as `uri-host [ ":" port ]` before calling `Message::parseRequest()` or `parse request()` on untrusted data, or before making routing and forwarding decisions. Reject Host values that contain userinfo, path, query, or fragment delimiters.

**Name of the Vulnerable Software and Affected Versions** guzzlehttp/psr7 versions prior to 2.10.2 **Description** The library fails to reject ASCII control characters, whitespace, or DEL in first-party URI host components. When an application uses a user-controlled URL to construct a PSR-7 `Uri` or `Request` without an explicit `Host` header, the host component containing CRLF or other header-unsafe characters is copied into the `Host` header. If the HTTP client does not independently reject the malformed host, an attacker can inject additional attacker-controlled header lines. This can lead to request smuggling or cache poisoning in environments using HTTP/1.1 connection reuse, proxies, gateways, or load balancers. This issue affects applications performing outbound HTTP requests, URL forwarding, proxying, crawling, or webhook delivery. **Recommendations** Update to version 2.10.2 or later. As a temporary workaround, validate and reject all untrusted URI strings before constructing PSR-7 `Uri` or `Request` instances, specifically rejecting input containing ASCII control characters, whitespace, or DEL (including CRLF, tab, space, NUL, or DEL characters). Ensure the final HTTP client or serializer rejects invalid URI and header data before writing requests to the network.