CVE-2022-31091

Name of the Vulnerable Software and Affected Versions Guzzle versions prior to 6.5.8 Guzzle versions prior to 7.4.5

Description Guzzle, an extensible PHP HTTP client, has a issue where Authorization and Cookie headers on requests are sensitive information. In affected versions, when making a request that responds with a redirect to a URI with a different port, if the redirect is followed, the Authorization and Cookie headers should be removed from the request before proceeding. Previously, only changes in host or scheme would trigger this removal.

Recommendations For Guzzle 7 users, upgrade to version 7.4.5 as soon as possible. For users of any earlier series of Guzzle, upgrade to version 6.5.8 or 7.4.5. As a temporary workaround, consider using your own redirect middleware instead of the default one if you are unable to upgrade. If redirects are not required or expected, consider disabling redirects altogether.