CVE-2026-49214

Name of the Vulnerable Software and Affected Versions guzzlehttp/psr7 versions prior to 2.10.2

Description The library fails to reject ASCII control characters, whitespace, or DEL in first-party URI host components. When an application uses a user-controlled URL to construct a PSR-7 Uri or Request without an explicit Host header, the host component containing CRLF or other header-unsafe characters is copied into the Host header. If the HTTP client does not independently reject the malformed host, an attacker can inject additional attacker-controlled header lines. This can lead to request smuggling or cache poisoning in environments using HTTP/1.1 connection reuse, proxies, gateways, or load balancers. This issue affects applications performing outbound HTTP requests, URL forwarding, proxying, crawling, or webhook delivery.

Recommendations Update to version 2.10.2 or later. As a temporary workaround, validate and reject all untrusted URI strings before constructing PSR-7 Uri or Request instances, specifically rejecting input containing ASCII control characters, whitespace, or DEL (including CRLF, tab, space, NUL, or DEL characters). Ensure the final HTTP client or serializer rejects invalid URI and header data before writing requests to the network.