guzzlehttp/guzzle is vulnerable to Exposure of Sensitive Information
47
Medium Risk
Guzzle's CookieJar applies ordinary subdomain (suffix) matching to a stored cookie whose Domain attribute is an IPv4 literal, a bracketed IPv6 literal, or a bare numeric value that denotes an IP address. The IP-address check inside SetCookie::matchesDomain() is applied only to the request host and never to the cookie's own domain, so a cookie scoped to a host like 192.168.0.1 or 1 is sent to any look-alike host whose name ends in that label, such as evil.192.168.0.1 or evil.1. When one cookie jar is reused across hosts or trust boundaries, this enables cross-host cookie disclosure, cookie injection, or session fixation depending on how the receiving service interprets the cookie. The fix treats IP literals and numeric cookie domains as exact-match-only and no longer applies subdomain matching to them.
You are affected if you are using a version that falls within the vulnerable range and your application uses Guzzle's cookie support with a cookie jar reused across hosts that can hold a cookie scoped to an IP-address or bare-numeric host.
guzzlehttp/guzzle is vulnerable to Exposure of Sensitive Information in versions 1.0.3 - 7.12.2.
Upgrade the guzzlehttp/guzzle library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant