CVE-2022-31043

Name of the Vulnerable Software and Affected Versions Guzzle versions prior to 6.5.7 Guzzle versions prior to 7.4.4

Description The issue is related to the handling of Authorization headers in requests. When a request is made using the https scheme to a server that responds with a redirect to a URI with the http scheme, the Authorization header should not be forwarded. However, prior to the fix, https to http downgrades did not result in the Authorization header being removed, only changes to the host. This could potentially allow a remote attacker to disclose sensitive information.

Recommendations Affected users using Guzzle 7 should upgrade to version 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to version 6.5.7 or 7.4.4. As a temporary workaround, users unable to upgrade may consider using their own redirect middleware. Alternatively, users may simply disable redirects altogether if redirects are not expected or required.