🚨 [security] [php] Update guzzlehttp/psr7 2.7.1 → 2.11.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ guzzlehttp/psr7 (indirect, 2.7.1 → 2.11.0) · Repo · Changelog

Security Advisories 🚨

🚨 guzzlehttp/psr7 has CRLF Injection via URI Host Component

Impact

guzzlehttp/psr7 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with GuzzleHttp\Psr7\Message::toString() or an equivalent custom serializer. Creating a Uri, Request, or other PSR-7 object alone is not sufficient. The malformed host must be copied into the serialized Host header without further validation.

A vulnerable flow is:

1. An application accepts a user-controlled URL.
2. The URL is used to construct a PSR-7 Uri or Request.
3. The host component contains CRLF or another header-unsafe character.
4. The request is serialized into a raw HTTP/1.x message without an explicit Host header.
5. The host is copied into the serialized Host header.
6. The serialized request is written to the network or otherwise processed by software that does not independently reject the malformed host.

In that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing "\r\nX-Injected: yes" can cause the generated Host header to span multiple HTTP header lines.

This is not the normal request-sending path used by guzzlehttp/guzzle. Applications using guzzlehttp/psr7 only through Guzzle's standard HTTP client APIs are not expected to be affected. Applications are most likely to be affected when they manually serialize PSR-7 requests, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, or similar request-dispatch code that serializes requests without independently validating URI hosts and header data. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed serialized request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request.

Patches

The issue is patched in 2.10.2 and later. 1.x is end-of-life and will not receive a patch.

Workarounds

If you cannot upgrade immediately, validate and reject all untrusted URI strings before constructing PSR-7 Uri or Request instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters:

if (preg_match('/[\x00-\x20\x7F]/', $untrustedUrl)) {
    throw new \InvalidArgumentException('Insecure URL detected');
}

Applications that manually serialize or forward requests should also ensure the final HTTP client, transport, or serializer rejects invalid URI and header data before writing requests to the network.

References

• https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2
• https://www.rfc-editor.org/rfc/rfc9112.html#section-5
• https://www.rfc-editor.org/rfc/rfc9112.html#section-11.2
• https://www.rfc-editor.org/rfc/rfc9110.html#section-7.2

🚨 guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation

Impact

guzzlehttp/psr7 improperly interpreted malformed Host header values when constructing request URIs from inbound request data. This issue concerns inbound request parsing and server request construction. It does not require serializing a PSR-7 request, and it is not part of the normal outbound request-sending path used by guzzlehttp/guzzle.

A vulnerable flow is:

1. An attacker controls a raw HTTP request or server variable containing a Host value.
2. The Host value contains URI authority delimiters, such as trusted.example@evil.example.
3. guzzlehttp/psr7 uses that value to construct a URI.
4. The URI parser treats the portion before @ as userinfo and the portion after @ as the URI host.
5. The resulting PSR-7 request URI host differs from the original Host header value.

For example, Host: trusted.example@evil.example can result in a PSR-7 URI whose host is evil.example, while the original Host header value remains trusted.example@evil.example.

Applications are affected if they parse attacker-controlled raw HTTP requests with GuzzleHttp\Psr7\Message::parseRequest() or the legacy 1.x GuzzleHttp\Psr7\parse_request() function, or if they build server requests from attacker-controlled server variables with GuzzleHttp\Psr7\ServerRequest::fromGlobals() or GuzzleHttp\Psr7\ServerRequest::getUriFromGlobals(), and then rely on the resulting URI host for routing, allow-list checks, credential selection, or forwarding decisions. Applications using guzzlehttp/psr7 only through Guzzle's standard HTTP client APIs are not expected to be affected. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host.

Patches

The issue is patched in 2.10.2 and later. 1.x is end-of-life and will not receive a patch.

Workarounds

If you cannot upgrade immediately, validate Host values before passing untrusted request data to Message::parseRequest(), legacy 1.x parse_request(), ServerRequest::fromGlobals(), or ServerRequest::getUriFromGlobals().

Accept only uri-host [ ":" port ]. Reject values containing whitespace, control characters, userinfo (@), path (/ or \), query (?), fragment (#), malformed IP literals or bracket syntax, or invalid port syntax.

Do not validate Host by prefixing it with http:// and passing it to parse_url(), because that can reinterpret malformed values as URI userinfo and host.

References

• https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2
• https://www.rfc-editor.org/rfc/rfc9112.html#section-3.3
• https://www.rfc-editor.org/rfc/rfc9110.html#section-4.2.4
• https://www.rfc-editor.org/rfc/rfc9110.html#section-7.2

Release Notes

2.11.0

Changed

• Changed Utils::modifyRequest() to reject conflicting URI and Host header changes in the same call
• Changed Header::parse() to split semicolon-separated parameters without repeated regular expression lookaheads
• Changed UriComparator::isCrossOrigin() so only HTTP and HTTPS missing ports receive implicit default ports

Deprecated

• Deprecated invalid PSR-7 arguments that guzzlehttp/psr7 3.0 will require native types for
• Deprecated non-string header values that guzzlehttp/psr7 3.0 will reject
• Deprecated empty header value arrays that guzzlehttp/psr7 3.0 will reject
• Deprecated URI schemes that do not match guzzlehttp/psr7 3.0 syntax requirements
• Deprecated multipart boundary and custom part header metadata that guzzlehttp/psr7 3.0 will reject
• Deprecated reliance on automatic uppercasing of request methods; guzzlehttp/psr7 3.0 preserves method casing
• Deprecated invalid Utils::modifyRequest() change values that guzzlehttp/psr7 3.0 will reject

Fixed

• Fixed Utils::copyToStream() to retry short destination writes instead of dropping the unwritten remainder
• Fixed Header::parse() splitting of semicolon-separated parameters with escaped quotes

2.10.4

Fixed

• Apply UriNormalizer percent-encoding normalizations to URI fragments
• Make LimitStream::getSize() return 0 for slices past the underlying stream end
• Make AppendStream::read() return an empty string when no streams are attached
• Make CachingStream::read() throw on an incomplete cache-target write instead of silently corrupting replays
• Prevent CachingStream::seek() from looping indefinitely when the remote stream makes no progress

2.10.3

Fixed

• Fixed URI parsing for IPv6 literals containing embedded IPv4 addresses
• Fixed malformed UTF-8 URI strings being parsed as empty URIs

2.10.2

Security

• Reject control and whitespace characters in URI host components (GHSA-hq7v-mx3g-29hw)
• Reject malformed Host values when constructing request URIs (GHSA-34xg-wgjx-8xph)

Fixed

• Make ServerRequest::fromGlobals() robust against unexpected HTTP header value types in $_SERVER

2.10.1

Fixed

• Fix Utils::modifyRequest() with numeric header names

2.10.0

• Harden ServerRequest::fromGlobals() against malformed $_SERVER values
• Prevent custom stream metadata from affecting internal size handling
• Throw when StreamWrapper::getResource() cannot create a resource
• Preserve custom request implementations in Utils::modifyRequest()
• Preserve custom URI implementations in UriResolver::resolve()
• Make Uri::__toString() side-effect-free

2.9.1

• Fix parsing of relative path references containing a colon in a non-initial path segment
• Fix CachingStream::detach() returning an incomplete resource before the decorated stream has been fully read
• Fix Message::bodySummary() returning null when truncating printable UTF-8 bodies inside a multibyte character

2.9.0

Added

• Added nested array expansion support to MultipartStream
• Added @return static to MessageTrait methods

Changed

• Updated MIME type mappings

---

See also the change log for changes.

2.8.1

Fixed

• Encode + signs in Uri::withQueryValue() and Uri::withQueryValues() to prevent them being interpreted as spaces

---

See also the change log for changes.

2.8.0

Added

• Allow empty lists as header values

Changed

• PHP 8.5 support

---

See also the change log for changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 75 commits:

• Release 2.11.0
• Restore copyToStream throws annotation (#781)
• Fix copyToStream short writes (#772)
• Merge branch '2.10' into 2.11
• Release 2.10.4
• Merge branch '2.10' into 2.11
• Throw when the CachingStream cache target does not persist a full write (#768)
• Fix Header parameter splitting with escaped quotes (#744)
• Merge branch '2.10' into 2.11
• Limit UriComparator default ports to HTTP and HTTPS (#743)
• Fix LimitStream size past stream end (#742)
• Normalize URI fragment percent-encoding (#741)
• Fix AppendStream reads without streams (#740)
• Prevent CachingStream seek no-progress loops (#739)
• Merge branch '2.10' into 2.11
• Release 2.10.3
• Merge branch '2.10' into 2.11
• Parse IPv6 literals with embedded IPv4 addresses (#731)
• Merge branch '2.10' into 2.11
• Cover fromParts host control validation (#730)
• Merge branch '2.10' into 2.11
• Reject malformed UTF-8 URIs (#729)
• Merge branch '2.10' into 2.11
• Reject conflicting modifyRequest Host changes (#728)
• Release 2.10.2
• Merge branch '2.10' into 2.11
• Reject malformed Host authorities (#717)
• Merge branch '2.10' into 2.11
• Normalize global header values (#718)
• Merge branch '2.10' into 2.11
• Reject control characters in URI hosts (#715)
• Use debug type for multipart header error (#713)
• Deprecate invalid modifyRequest changes (#709)
• Clarify callable source docblocks (#705)
• Document callable stream sources (#704)
• Deprecate automatic request method uppercasing (#696)
• Document cross-origin comparison (#695)
• Deprecate invalid multipart metadata (#689)
• Change Header parameter splitting (#680)
• Handle short stream writes (#679)
• Deprecate additional 3.0 changes (#677)
• Deprecate invalid with arguments (#670)
• Release 2.10.1
• Fix modifyRequest with numeric header names (#667)
• Release 2.10.0
• Throw when StreamWrapper resource creation fails (#662)
• Use native stream URI for size cache (#661)
• Harden ServerRequest globals handling (#660)
• Merge branch '2.9' into 2.10
• Release 2.9.1
• Add 1.x to 2.0 upgrade guide (#659)
• Expand modifyRequest preservation tests (#658)
• Preserve URI implementations in UriResolver (#657)
• Make Uri stringification side-effect-free (#656)
• Preserve request implementations in modifyRequest (#655)
• Fix CachingStream detach resource (#654)
• Include next version in change log (#653)
• Fix UTF-8 body summary truncation (#652)
• Run static analysis on PHP 7.4 (#651)
• Update static tooling (#647)
• [2.9] Fix parsing of relative path references containing a colon in a non-initial path segment (#645)
• Upgrade to `http-interop/http-factory-tests` 1.1.0 (#642)
• Release 2.9.0
• Add additional tests covering IPv6 URI parsing (#641)
• Added `@return static` to `MessageTrait` methods (#639)
• [2.9] Added nested array expansion support to `MultipartStream` (#638)
• [2.9] Updated MIME type mappings and automated generation (#637)
• Release 2.8.1
• [2.8] Encode plus sign in withQueryValue() and withQueryValues() (#636)
• Add regression test for detach() on non-seekable streams (#634)
• Update CI workflows, upgrade PHPStan, and remove Psalm (#635)
• Release 2.8.0
• Update README.md
• [2.8] Allow empty lists as header values (#625)
• [2.8] Add PHP 8.5 support (#628)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)