CVE-2022-29248 is a vulnerability identified in the Guzzle PHP HTTP client library, specifically affecting versions prior to 6.5.6 and versions from 7.0.0 up to but not including 7.4.3. The vulnerability arises from improper validation in the cookie middleware component, which is responsible for handling HTTP cookies. Normally, when a server sets a cookie via the Set-Cookie header, the client should verify that the cookie's domain attribute matches the domain of the server that issued it. However, in the affected Guzzle versions, this domain check is missing. This flaw allows a malicious server to set cookies for unrelated domains, potentially leading to unauthorized exposure of sensitive information. The cookie middleware is disabled by default in Guzzle, so only users who explicitly enable it—either by adding the cookie middleware to the handler stack or by constructing the client with the ['cookies' => true] option—are vulnerable. Additionally, users who do not reuse the same Guzzle client instance to make requests across multiple domains or who have disabled redirect forwarding are not impacted by this vulnerability. The issue has been addressed in versions 6.5.6 and 7.4.3 by adding the necessary domain validation checks. As a temporary mitigation, disabling the cookie middleware prevents exploitation. No known exploits have been reported in the wild to date. This vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors due to improper access control in cookie handling.

For European organizations, the impact of this vulnerability depends largely on their use of the Guzzle HTTP client with cookie middleware enabled. Organizations that develop or maintain PHP applications relying on Guzzle for HTTP requests and have enabled cookie handling are at risk of sensitive information leakage. Specifically, if a Guzzle client instance is reused across multiple domains, a malicious server could set cookies for unrelated domains, potentially exposing session tokens, authentication credentials, or other sensitive cookie data to unauthorized parties. This could lead to session hijacking, unauthorized access, or data leakage. The impact is heightened in multi-tenant or microservices environments where HTTP clients communicate with various domains using the same client instance. However, since the cookie middleware is disabled by default and the vulnerability requires specific client configurations, the overall exposure is limited. The absence of known exploits reduces immediate risk, but the vulnerability could be leveraged in targeted attacks against organizations with vulnerable configurations. European organizations handling sensitive data, such as financial institutions, healthcare providers, and government agencies, should be particularly cautious. Failure to address this vulnerability could result in breaches of confidentiality, regulatory non-compliance (e.g., GDPR), and reputational damage.

1. Upgrade affected Guzzle versions to 6.5.6 or 7.4.3 or later, where the vulnerability is patched. 2. If immediate upgrade is not feasible, disable the cookie middleware by avoiding the ['cookies' => true] option or removing the cookie middleware from the handler stack. 3. Avoid reusing the same Guzzle client instance for requests across multiple domains, especially when cookie middleware is enabled. Instead, instantiate separate clients per domain to isolate cookie storage. 4. Disable redirect forwarding in Guzzle clients to prevent unintended cookie forwarding across domains. 5. Conduct a thorough audit of PHP applications using Guzzle to identify configurations enabling cookie middleware and assess exposure. 6. Implement strict input validation and monitoring on servers interacting with Guzzle clients to detect anomalous cookie behavior. 7. Educate development teams about secure usage patterns of HTTP clients and cookie handling best practices. 8. Monitor for updates from Guzzle and related security advisories to promptly apply patches.