CVE-2022-31042: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in guzzle guzzle
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
AI Analysis
Technical Summary
CVE-2022-31042 is a medium-severity vulnerability affecting the Guzzle PHP HTTP client, specifically versions prior to 6.5.7 and versions from 7.0.0 up to but not including 7.4.4. Guzzle is widely used in PHP applications to facilitate HTTP requests. The vulnerability pertains to improper handling of the 'Cookie' HTTP headers during redirects. When a request is made over HTTPS and the server responds with a redirect to an HTTP URL, or when a redirect points to a different host, sensitive 'Cookie' headers that may contain authentication tokens or session identifiers are forwarded improperly. This occurs because only cookies managed by Guzzle's cookie middleware were stripped during redirects, while any manually added 'Cookie' headers were not removed. Consequently, sensitive cookie data could be exposed to unauthorized actors if the redirect leads to a less secure or unintended destination. The fix implemented in Guzzle 7.4.4 and 6.5.7 ensures that all 'Cookie' headers are stripped on redirects, and only cookies deemed appropriate by the middleware are re-added. Users unable to upgrade are advised to disable redirects or implement custom redirect middleware to prevent this exposure. This vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. No known exploits have been reported in the wild to date, but the risk remains significant due to the potential leakage of sensitive session data during redirects.
Potential Impact
For European organizations, the exposure of sensitive cookie information during HTTP redirects can lead to session hijacking, unauthorized access, and data breaches. Many European enterprises rely on PHP-based web applications that use Guzzle for backend HTTP communications, including financial institutions, e-commerce platforms, healthcare providers, and government services. The inadvertent forwarding of cookies to untrusted or downgraded HTTP endpoints can allow attackers to intercept session tokens, leading to compromised user accounts and unauthorized data access. This risk is heightened in environments where HTTPS to HTTP redirects occur, either due to misconfigurations or legacy systems. The impact extends to confidentiality breaches, potential integrity violations if attackers manipulate sessions, and availability concerns if attackers disrupt authenticated sessions. Given the stringent data protection regulations in Europe, such as GDPR, organizations may also face legal and compliance repercussions if sensitive user data is exposed. The absence of known exploits suggests that proactive mitigation can effectively prevent exploitation, but the widespread use of Guzzle in PHP applications means the attack surface is considerable.
Mitigation Recommendations
1. Immediate Upgrade: Organizations should prioritize upgrading all affected Guzzle versions to at least 6.5.7 or 7.4.4 to ensure the vulnerability is patched. 2. Disable Automatic Redirects: If upgrading is not immediately feasible, disable automatic HTTP redirects in Guzzle to prevent unintended cookie forwarding. 3. Implement Custom Redirect Middleware: Develop and deploy custom redirect handling logic that explicitly strips sensitive headers, including manually added 'Cookie' headers, before following redirects. 4. Audit and Sanitize Cookies: Review application code to avoid manually adding sensitive cookies to requests unless necessary, and ensure cookie management is centralized through Guzzle's middleware. 5. Monitor Redirects: Log and monitor HTTP redirect responses to detect any redirects from HTTPS to HTTP or cross-host redirects that could expose cookies. 6. Network Controls: Employ network-level controls such as HTTPS enforcement and redirect blocking to minimize exposure to insecure redirects. 7. Security Testing: Incorporate this vulnerability check into regular security assessments and penetration testing to verify that cookie leakage does not occur during redirects. 8. Educate Developers: Train development teams on secure HTTP client usage patterns, emphasizing the risks of manual cookie header manipulation and the importance of middleware use.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Austria
CVE-2022-31042: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in guzzle guzzle
Description
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
AI-Powered Analysis
Technical Analysis
CVE-2022-31042 is a medium-severity vulnerability affecting the Guzzle PHP HTTP client, specifically versions prior to 6.5.7 and versions from 7.0.0 up to but not including 7.4.4. Guzzle is widely used in PHP applications to facilitate HTTP requests. The vulnerability pertains to improper handling of the 'Cookie' HTTP headers during redirects. When a request is made over HTTPS and the server responds with a redirect to an HTTP URL, or when a redirect points to a different host, sensitive 'Cookie' headers that may contain authentication tokens or session identifiers are forwarded improperly. This occurs because only cookies managed by Guzzle's cookie middleware were stripped during redirects, while any manually added 'Cookie' headers were not removed. Consequently, sensitive cookie data could be exposed to unauthorized actors if the redirect leads to a less secure or unintended destination. The fix implemented in Guzzle 7.4.4 and 6.5.7 ensures that all 'Cookie' headers are stripped on redirects, and only cookies deemed appropriate by the middleware are re-added. Users unable to upgrade are advised to disable redirects or implement custom redirect middleware to prevent this exposure. This vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. No known exploits have been reported in the wild to date, but the risk remains significant due to the potential leakage of sensitive session data during redirects.
Potential Impact
For European organizations, the exposure of sensitive cookie information during HTTP redirects can lead to session hijacking, unauthorized access, and data breaches. Many European enterprises rely on PHP-based web applications that use Guzzle for backend HTTP communications, including financial institutions, e-commerce platforms, healthcare providers, and government services. The inadvertent forwarding of cookies to untrusted or downgraded HTTP endpoints can allow attackers to intercept session tokens, leading to compromised user accounts and unauthorized data access. This risk is heightened in environments where HTTPS to HTTP redirects occur, either due to misconfigurations or legacy systems. The impact extends to confidentiality breaches, potential integrity violations if attackers manipulate sessions, and availability concerns if attackers disrupt authenticated sessions. Given the stringent data protection regulations in Europe, such as GDPR, organizations may also face legal and compliance repercussions if sensitive user data is exposed. The absence of known exploits suggests that proactive mitigation can effectively prevent exploitation, but the widespread use of Guzzle in PHP applications means the attack surface is considerable.
Mitigation Recommendations
1. Immediate Upgrade: Organizations should prioritize upgrading all affected Guzzle versions to at least 6.5.7 or 7.4.4 to ensure the vulnerability is patched. 2. Disable Automatic Redirects: If upgrading is not immediately feasible, disable automatic HTTP redirects in Guzzle to prevent unintended cookie forwarding. 3. Implement Custom Redirect Middleware: Develop and deploy custom redirect handling logic that explicitly strips sensitive headers, including manually added 'Cookie' headers, before following redirects. 4. Audit and Sanitize Cookies: Review application code to avoid manually adding sensitive cookies to requests unless necessary, and ensure cookie management is centralized through Guzzle's middleware. 5. Monitor Redirects: Log and monitor HTTP redirect responses to detect any redirects from HTTPS to HTTP or cross-host redirects that could expose cookies. 6. Network Controls: Employ network-level controls such as HTTPS enforcement and redirect blocking to minimize exposure to insecure redirects. 7. Security Testing: Incorporate this vulnerability check into regular security assessments and penetration testing to verify that cookie leakage does not occur during redirects. 8. Educate Developers: Train development teams on secure HTTP client usage patterns, emphasizing the risks of manual cookie header manipulation and the importance of middleware use.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9844c4522896dcbf340d
Added to database: 5/21/2025, 9:09:24 AM
Last enriched: 6/23/2025, 5:20:36 AM
Last updated: 8/12/2025, 7:25:40 PM
Views: 12
Related Threats
CVE-2025-54205: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Sampler
MediumCVE-2025-54195: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Painter
MediumCVE-2025-54194: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Painter
MediumCVE-2025-54193: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Painter
MediumCVE-2025-54192: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Painter
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.