Name of the Vulnerable Software and Affected Versions mezzio-swoole versions prior to 3.7.0 mezzio-swoole versions prior to 4.3.0

Description The issue affects mezzio-swoole applications using Diactoros for their PSR-7 implementation. If the application is not behind a proxy or can be accessed via untrusted proxies, the host, protocol, and/or port of a LaminasDiactorosUri instance associated with the incoming server request can be modified to reflect values from X-Forwarded-* headers. This can lead to XSS attacks and/or URL poisoning.

Recommendations For versions prior to 3.7.0, update to version 3.7.0 or later. For versions prior to 4.3.0, update to version 4.3.0 or later. As a temporary workaround, consider placing a trusted reverse proxy in front of the mezzio-swoole server to filter out untrusted X-Forwarded-* headers. Users can also define the LaminasDiactorosServerRequestFilterFilterServerRequestInterface service to provide a different implementation for filtering the generated request instance.