CVE-2022-31109

Name of the Vulnerable Software and Affected Versions laminas-diactoros versions prior to 2.11.1

Description The laminas-diactoros PHP package is vulnerable to potential host, protocol, and/or port modification of a LaminasDiactorosUri instance associated with the incoming server request, based on values from X-Forwarded-* headers. This can lead to XSS attacks or URL poisoning if a fully-qualified URL is used in links. The X-Forwarded-* headers have valid use cases, particularly in clustered environments using a load balancer.

Recommendations For versions prior to 2.11.1, users are advised to upgrade to version 2.11.1 or later to resolve this issue. For users unable to upgrade, configure web servers to reject X-Forwarded-* headers at the web server level. As a temporary workaround, consider using the LaminasDiactorosRequestFilterNoOpRequestFilter implementation to ignore the X-Forwarded-* headers. Starting in version 3.0, the library will reverse behavior to use the NoOpRequestFilter by default, and require users to opt-in to X-Forwarded-* header usage via a configured LaminasDiactorosRequestFilterLegacyXForwardedHeaderFilter instance.