CVE-2023-29530

Name of the Vulnerable Software and Affected Versions Laminas Diactoros versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0

Description The issue is related to improper header parsing, where an attacker could sneak in a newline into both the header names and values, potentially leading to denial of service vectors or application errors. This can occur when users create HTTP requests or responses using laminas/laminas-diactoros and provide a newline at the start or end of a header key or value, causing an invalid message.

Recommendations For versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, update to the patched versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1 respectively. As a temporary workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader().