CVE-2023-29197

Name of the Vulnerable Software and Affected Versions guzzlehttp/psr7 versions prior to 1.9.1 guzzlehttp/psr7 versions prior to 2.4.5

Description The issue concerns improper header parsing, allowing an attacker to sneak in a newline ( ) into both the header names and values. Many servers will also accept `

to terminate the header list, which is not in line with the specification that statesr r ` should be used. This could potentially lead to application errors or invalid HTTP requests being sent out, possibly causing a denial of service vector if a remote service's web application firewall bans the application due to the receipt of malformed requests.

Recommendations For guzzlehttp/psr7 versions prior to 1.9.1, upgrade to version 1.9.1 or later. For guzzlehttp/psr7 versions prior to 2.4.5, upgrade to version 2.4.5 or later. As a temporary workaround, consider validating HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before processing.