AIKIDO-2026-10932
guzzlehttp/psr7 is vulnerable to Server-side Request Forgery (SSRF)
53
Medium Risk
This Affects:
guzzlehttp/psr7TL;DR
Affected versions of guzzlehttp/psr7 are vulnerable to improper Host header parsing when constructing request URIs from inbound requests. A crafted Host header containing authority delimiters may cause the parsed URI host to differ from the original header value, potentially leading to routing, forwarding, or credential-handling issues in applications processing attacker-controlled requests.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
guzzlehttp/psr7 is vulnerable to Server-side Request Forgery (SSRF) in versions 0.0.1 - 2.10.1.
How to fix this
Upgrade the guzzlehttp/psr7 library to the patch version. As a workaround, strictly validate untrusted Host header values before constructing PSR-7 requests and reject malformed hosts containing characters such as @, whitespace, or path delimiters.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant