CVE-2022-24775 is a vulnerability identified in the guzzlehttp/psr7 library, a widely used PHP implementation of the PSR-7 HTTP message interface standard. This library facilitates HTTP message construction and parsing, which is fundamental for many PHP-based web applications and services. The vulnerability arises from improper input validation during HTTP header parsing in versions prior to 1.8.4 and between 2.0.0 and 2.1.1 (exclusive). Specifically, an attacker can inject newline characters into HTTP headers, enabling them to manipulate header parsing logic. This can lead to HTTP response splitting or header injection attacks, potentially allowing attackers to craft malicious responses or manipulate HTTP headers in unintended ways. Such attacks could be leveraged to perform web cache poisoning, cross-site scripting (XSS), or session fixation attacks. The vulnerability is categorized under CWE-20 (Improper Input Validation), indicating that the library fails to adequately sanitize or validate input data before processing. The issue was patched in versions 1.8.4 and 2.1.1, and no known workarounds exist, making upgrading to these versions the primary remediation. There are no known exploits in the wild at this time, but the vulnerability's nature and the widespread use of guzzlehttp/psr7 in PHP applications suggest a potential risk if left unpatched.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on PHP-based web applications that utilize guzzlehttp/psr7 for HTTP message handling. Exploitation could allow attackers to perform HTTP response splitting, leading to web cache poisoning or cross-site scripting attacks, which can compromise user data confidentiality and integrity. This may result in unauthorized access to sensitive information, session hijacking, or the delivery of malicious content to end users. The availability impact is generally limited but could manifest if attackers disrupt normal HTTP communication or cause application errors. Given the prevalence of PHP in European public sector services, e-commerce platforms, and financial institutions, exploitation could undermine trust and lead to regulatory penalties under GDPR if personal data is exposed. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target widely used libraries. Organizations with high exposure to web-facing PHP applications are at greater risk.

To mitigate this vulnerability, European organizations should prioritize upgrading guzzlehttp/psr7 to version 1.8.4 or 2.1.1 or later, depending on their current version. Since no workarounds exist, patching is the only effective measure. Additionally, organizations should audit their codebases and dependencies to identify all instances of guzzlehttp/psr7 usage, including transitive dependencies in frameworks or third-party packages. Implementing strict input validation and sanitization at the application level can provide an additional layer of defense against header injection attempts. Web application firewalls (WAFs) should be configured to detect and block suspicious HTTP header patterns, such as unexpected newline characters. Monitoring HTTP traffic for anomalies and unusual header manipulations can help detect exploitation attempts early. Finally, organizations should maintain an up-to-date inventory of software components and apply security patches promptly to reduce exposure to similar vulnerabilities.