CVE-2022-31090

Name of the Vulnerable Software and Affected Versions Guzzle versions prior to 6.5.8 Guzzle versions prior to 7.4.5

Description Guzzle, an extensible PHP HTTP client, has a sensitive information leak issue. When using the Curl handler, the CURLOPT HTTPAUTH option can specify an Authorization header. If a request responds with a redirect to a different origin, the CURLOPT HTTPAUTH option should be removed to prevent curl from appending the Authorization header to the new request.

Recommendations For Guzzle 7 users, upgrade to version 7.4.5 as soon as possible. For users using any earlier series of Guzzle, upgrade to version 6.5.8 or 7.4.5. As a temporary workaround, consider disabling redirects altogether. Alternatively, specify to use the Guzzle stream handler backend, rather than curl.