AIKIDO-2026-646305
guzzlehttp/guzzle is vulnerable to HTTPS Proxy Downgrade
59
Medium Risk
This Affects:
guzzlehttp/guzzleTL;DR
guzzle's built-in cURL handlers pass https:// proxy URLs directly to libcurl, which on versions older than 7.50.2 silently downgrades the proxy connection to plaintext instead of establishing TLS — exposing proxy authentication credentials (Proxy-Authorization headers, userinfo in the proxy URL) and, for plain HTTP requests, full request headers and bodies on the proxy leg; tunneled end-to-end HTTPS traffic is unaffected since its inner TLS session remains intact. Newer libcurl versions (7.50.2+) either reject the unsupported configuration at connect time or handle HTTPS proxies correctly, so only deployments combining an https:// proxy configuration with libcurl 7.50.2 are at risk.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range, except for applications not using an https:// proxy, or using the stream handler, which are unaffected.
Background info
guzzlehttp/guzzle is vulnerable to HTTPS Proxy Downgrade in versions 1.0.3 - 7.12.0.
How to fix this
Upgrade the guzzlehttp/guzzle library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant