Maximilian Kresse

**Name of the Vulnerable Software and Affected Versions** laminas-diactoros versions prior to 2.11.1 **Description** The laminas-diactoros PHP package is vulnerable to potential host, protocol, and/or port modification of a `LaminasDiactorosUri` instance associated with the incoming server request, based on values from `X-Forwarded-*` headers. This can lead to XSS attacks or URL poisoning if a fully-qualified URL is used in links. The `X-Forwarded-*` headers have valid use cases, particularly in clustered environments using a load balancer. **Recommendations** For versions prior to 2.11.1, users are advised to upgrade to version 2.11.1 or later to resolve this issue. For users unable to upgrade, configure web servers to reject `X-Forwarded-*` headers at the web server level. As a temporary workaround, consider using the `LaminasDiactorosRequestFilterNoOpRequestFilter` implementation to ignore the `X-Forwarded-*` headers. Starting in version 3.0, the library will reverse behavior to use the `NoOpRequestFilter` by default, and require users to opt-in to `X-Forwarded-*` header usage via a configured `LaminasDiactorosRequestFilterLegacyXForwardedHeaderFilter` instance.