AIKIDO-2026-10931
guzzlehttp/psr7 is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection')
53
Medium Risk
This Affects:
guzzlehttp/psr7TL;DR
Affected versions of guzzlehttp/psr7 are vulnerable to HTTP header injection due to improper validation of URI host components during raw HTTP/1.x request serialization. An attacker able to control the host value may inject arbitrary HTTP headers through crafted control characters, potentially enabling request smuggling, cache poisoning, or other downstream attacks in applications that manually serialize PSR-7 requests.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
guzzlehttp/psr7 is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in versions 0.0.1 - 2.10.1.
How to fix this
Upgrade the guzzlehttp/psr7 library to the patch version. As a workaround, validate and reject untrusted URLs containing control characters or whitespace before creating PSR-7 requests, and ensure serialized HTTP requests are validated before being sent.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant