CVE-2026-48998

Name of the Vulnerable Software and Affected Versions guzzlehttp/psr7 versions prior to 2.10.2

Description Improper Host header validation occurs when parsing raw HTTP request messages or deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as trusted.example@evil.example. When this value is used to construct a URI, it can be reinterpreted as URI userinfo and host, causing the resulting request URI host to differ from the original Host header. This affects applications using the GuzzleHttpPsr7Message::parseRequest() function, the legacy GuzzleHttpPsr7parse request() function, or those building server requests from attacker-controlled server variables that rely on the URI host for routing, allow-list checks, or forwarding. In gateway or forwarding scenarios, this may lead to requests or credentials being sent to an unintended host.

Recommendations Update to version 2.10.2. As a temporary workaround, validate the Host header as uri-host [ ":" port ] before calling Message::parseRequest() or parse request() on untrusted data, or before making routing and forwarding decisions. Reject Host values that contain userinfo, path, query, or fragment delimiters.