Nyholm

**Name of the Vulnerable Software and Affected Versions** guzzlehttp/psr7 versions prior to 1.9.1 guzzlehttp/psr7 versions prior to 2.4.5 **Description** The issue concerns improper header parsing, allowing an attacker to sneak in a newline (` `) into both the header names and values. Many servers will also accept ` ` to terminate the header list, which is not in line with the specification that states `r r ` should be used. This could potentially lead to application errors or invalid HTTP requests being sent out, possibly causing a denial of service vector if a remote service's web application firewall bans the application due to the receipt of malformed requests. **Recommendations** For guzzlehttp/psr7 versions prior to 1.9.1, upgrade to version 1.9.1 or later. For guzzlehttp/psr7 versions prior to 2.4.5, upgrade to version 2.4.5 or later. As a temporary workaround, consider validating HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before processing.