Intel

AIKIDO-2026-493693

guzzlehttp/guzzle is vulnerable to Exposure of Sensitive Information

Exposure of Sensitive InformationGHSA-g446-98w2-8p5w Published Jun 25, 2026

47

Medium Risk

This Affects:

PHPguzzlehttp/guzzle
1.0.3 - 7.12.2
Fixed in 7.12.3
Are you affected? Scan for Free

TL;DR

Guzzle's CookieJar applies ordinary subdomain (suffix) matching to a stored cookie whose Domain attribute is an IPv4 literal, a bracketed IPv6 literal, or a bare numeric value that denotes an IP address. The IP-address check inside SetCookie::matchesDomain() is applied only to the request host and never to the cookie's own domain, so a cookie scoped to a host like 192.168.0.1 or 1 is sent to any look-alike host whose name ends in that label, such as evil.192.168.0.1 or evil.1. When one cookie jar is reused across hosts or trust boundaries, this enables cross-host cookie disclosure, cookie injection, or session fixation depending on how the receiving service interprets the cookie. The fix treats IP literals and numeric cookie domains as exact-match-only and no longer applies subdomain matching to them.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses Guzzle's cookie support with a cookie jar reused across hosts that can hold a cookie scoped to an IP-address or bare-numeric host.

Background info

guzzlehttp/guzzle is vulnerable to Exposure of Sensitive Information in versions 1.0.3 - 7.12.2.

How to fix this

Upgrade the guzzlehttp/guzzle library to the patch version.