CVE-2022-31090 is a medium-severity vulnerability affecting Guzzle, a widely used extensible PHP HTTP client library. The vulnerability arises from improper handling of the `Authorization` header during HTTP redirects when using Guzzle's Curl handler. Specifically, when a request includes an `Authorization` header via the `CURLOPT_HTTPAUTH` option and the server responds with a redirect to a URI that changes the origin—defined as a change in host, scheme (e.g., HTTP to HTTPS), or port—Guzzle should remove the `Authorization` header before following the redirect. Failure to do so results in the sensitive `Authorization` header being sent to an unintended, potentially unauthorized third-party endpoint. This exposure can lead to unauthorized disclosure of credentials or tokens, compromising confidentiality. Affected versions include all Guzzle versions prior to 6.5.8 and versions from 7.0.0 up to but not including 7.4.5. A partial fix in version 7.4.2 addressed removal of the header only when the host changed, but did not cover changes in scheme or port, leaving the vulnerability partially open until 7.4.5. Users who do not require automatic redirect following can mitigate risk by disabling redirects entirely or by switching from the Curl handler to the Guzzle stream handler backend, which is not affected by this issue. This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). While no known exploits have been reported in the wild, the risk remains significant due to the potential for credential leakage during redirects, especially in complex web environments where redirects are common. The vulnerability requires no user interaction but does require that the application uses the Curl handler with vulnerable versions of Guzzle and follows redirects across origins with sensitive authorization headers present.

For European organizations, the impact of CVE-2022-31090 can be significant, especially for those relying on Guzzle in their PHP-based web applications or services that handle sensitive authentication tokens or credentials in HTTP headers. Exposure of `Authorization` headers to unintended endpoints can lead to unauthorized access to protected resources, data breaches, and potential lateral movement within networks. This is particularly critical for sectors handling sensitive personal data under GDPR, such as finance, healthcare, and government services, where unauthorized disclosure can result in regulatory penalties and reputational damage. Additionally, organizations using microservices architectures or API gateways that rely on Guzzle for HTTP client functionality may inadvertently expose credentials when redirects occur, increasing the attack surface. The vulnerability could also facilitate man-in-the-middle attacks if redirects lead to malicious endpoints, further compromising confidentiality and integrity.

1. Upgrade Guzzle to version 7.4.5 or later, or to 6.5.8 or later if using the 6.x series, as these versions contain the complete fix for this vulnerability. 2. If upgrading is not immediately feasible, disable automatic redirect following in Guzzle by setting the `allow_redirects` option to false, preventing the client from sending authorization headers to redirected origins. 3. Alternatively, configure Guzzle to use the stream handler backend instead of the Curl handler, as the stream handler does not exhibit this vulnerability. 4. Review application code to audit usage of `Authorization` headers in HTTP requests, ensuring that sensitive headers are not sent to untrusted or external domains. 5. Implement strict validation and whitelisting of redirect URLs to prevent redirects to untrusted origins. 6. Monitor network traffic and logs for unexpected outbound requests containing authorization headers to unknown or suspicious endpoints. 7. Educate developers about secure handling of HTTP headers and the risks associated with automatic redirects involving sensitive information.