CVE-2022-31042

Name of the Vulnerable Software and Affected Versions Guzzle versions prior to 6.5.7 Guzzle versions prior to 7.4.4

Description The Cookie headers on requests are sensitive information. When making a request using the https scheme to a server that responds with a redirect to a URI with the http scheme, or when making a request to a server that responds with a redirect to a URI on a different host, the Cookie header should not be forwarded. Prior to the fix, only cookies managed by the cookie middleware were safely removed, while any manually added Cookie headers were not stripped. The issue allows a remote attacker to disclose protected information.

Recommendations For Guzzle versions prior to 6.5.7, upgrade to Guzzle 6.5.7 as soon as possible. For Guzzle versions prior to 7.4.4, upgrade to Guzzle 7.4.4 as soon as possible. If you are unable to upgrade, consider using your own redirect middleware instead of the default one. If you do not require or expect redirects to be followed, simply disable redirects altogether.