Grahamcampbell

**Name of the Vulnerable Software and Affected Versions** Laminas Diactoros versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0 **Description** The issue is related to improper header parsing, where an attacker could sneak in a newline into both the header names and values, potentially leading to denial of service vectors or application errors. This can occur when users create HTTP requests or responses using laminas/laminas-diactoros and provide a newline at the start or end of a header key or value, causing an invalid message. **Recommendations** For versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, update to the patched versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1 respectively. As a temporary workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.

**Name of the Vulnerable Software and Affected Versions** slim/psr7 versions prior to 1.6.1 **Description** The issue allows an attacker to sneak in a newline (` `) into both the header names and values. Although the specification states that `r r ` is used to terminate the header list, many servers also accept ` `. This could enable an attacker to craft invalid messages, potentially causing application errors or invalid HTTP requests being sent out with a PSR-18 HTTP client. The latter might present a denial of service vector if a remote service's web application firewall bans the application due to the receipt of malformed requests. **Recommendations** For versions prior to 1.6.1, upgrade to version 1.6.1 to resolve the issue. As a temporary workaround, consider restricting the input of header names to prevent the introduction of newlines (` `) until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Guzzle versions prior to 6.5.8 Guzzle versions prior to 7.4.5 **Description** Guzzle, an extensible PHP HTTP client, has a issue where `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions, when making a request that responds with a redirect to a URI with a different port, if the redirect is followed, the `Authorization` and `Cookie` headers should be removed from the request before proceeding. Previously, only changes in host or scheme would trigger this removal. **Recommendations** For Guzzle 7 users, upgrade to version 7.4.5 as soon as possible. For users of any earlier series of Guzzle, upgrade to version 6.5.8 or 7.4.5. As a temporary workaround, consider using your own redirect middleware instead of the default one if you are unable to upgrade. If redirects are not required or expected, consider disabling redirects altogether.

**Name of the Vulnerable Software and Affected Versions** guzzlehttp/psr7 versions prior to 1.9.1 guzzlehttp/psr7 versions prior to 2.4.5 **Description** The issue concerns improper header parsing, allowing an attacker to sneak in a newline (` `) into both the header names and values. Many servers will also accept ` ` to terminate the header list, which is not in line with the specification that states `r r ` should be used. This could potentially lead to application errors or invalid HTTP requests being sent out, possibly causing a denial of service vector if a remote service's web application firewall bans the application due to the receipt of malformed requests. **Recommendations** For guzzlehttp/psr7 versions prior to 1.9.1, upgrade to version 1.9.1 or later. For guzzlehttp/psr7 versions prior to 2.4.5, upgrade to version 2.4.5 or later. As a temporary workaround, consider validating HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before processing.