CVE-2022-31043 is a medium-severity vulnerability affecting the Guzzle PHP HTTP client, specifically versions prior to 6.5.7 and versions from 7.0.0 up to but not including 7.4.4. Guzzle is widely used in PHP applications to send HTTP requests. The vulnerability arises from improper handling of the Authorization header during HTTP redirects. When a request is made over HTTPS and the server responds with a redirect to an HTTP URL (a downgrade from secure to insecure protocol), Guzzle should not forward the Authorization header to the redirected HTTP endpoint to prevent exposure of sensitive credentials. However, in affected versions, Guzzle fails to remove the Authorization header on HTTPS to HTTP redirects, only removing it when the host changes. This behavior can lead to sensitive authorization tokens being sent over unencrypted HTTP connections, exposing them to interception by unauthorized actors through network sniffing or man-in-the-middle attacks. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). No known exploits in the wild have been reported, but the risk remains significant due to the potential leakage of sensitive credentials. The recommended remediation is to upgrade to Guzzle 7.4.4 or 6.5.7 or later. For users unable to upgrade immediately, alternative mitigations include implementing custom redirect middleware that strips Authorization headers on protocol downgrade or disabling redirects entirely if they are not required.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive authentication credentials used in HTTP requests. Many web applications, APIs, and services in Europe rely on Guzzle for backend HTTP communications, including financial services, healthcare, government portals, and e-commerce platforms. Exposure of Authorization headers over HTTP can lead to credential theft, unauthorized access to protected resources, and potential data breaches. This risk is amplified in environments where internal or external redirects from HTTPS to HTTP occur, either intentionally or due to misconfigurations. The confidentiality of sensitive data is primarily at risk, but indirect impacts on integrity and availability may occur if attackers leverage stolen credentials to perform unauthorized actions or disrupt services. Given the widespread use of Guzzle in PHP applications across Europe, the vulnerability could affect a broad range of sectors, especially those handling sensitive personal or financial data. The absence of known exploits reduces immediate urgency but does not eliminate the threat, as attackers could develop exploits targeting this flaw.

1. Immediate upgrade to Guzzle versions 7.4.4 or 6.5.7 or later to ensure the Authorization header is correctly stripped on HTTPS to HTTP redirects. 2. Audit application code and dependencies to identify all instances of Guzzle usage and confirm version compliance. 3. If upgrading is not feasible in the short term, implement custom redirect middleware that explicitly removes Authorization headers when redirecting from HTTPS to HTTP. 4. Review and minimize the use of HTTP redirects, especially those that downgrade from HTTPS to HTTP, and configure servers to avoid such redirects where possible. 5. Disable automatic redirects in Guzzle if redirects are not necessary for the application workflow. 6. Monitor network traffic for unexpected transmission of Authorization headers over unencrypted channels. 7. Educate development teams about secure handling of sensitive headers and the risks of protocol downgrades. 8. Incorporate this vulnerability check into continuous integration pipelines to prevent regressions.