Name of the Vulnerable Software and Affected Versions zend-diactoros (affected versions not specified) zend-http (affected versions not specified) zend-feed (affected versions not specified)

Description The issue concerns a potential URL rewrite exploit in the mentioned software components. It involves logic that introspects HTTP request headers specific to a given server-side URL rewrite mechanism. When these headers are present on systems not running the specific URL rewriting mechanism, the logic triggers, allowing a malicious client or proxy to emulate the headers and request arbitrary content.

Recommendations For zend-diactoros, consider restricting access to the URL rewrite mechanism until a patch is available. For zend-http, avoid using the URL rewriting mechanism in Zend Framework MVC projects until the issue is resolved. For zend-feed, specifically its PubSubHubbub sub-component, restrict access to the sub-component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.