CVE-2022-31091 is a vulnerability in Guzzle, a widely used extensible PHP HTTP client library. The issue pertains to the improper handling of sensitive HTTP headers, specifically the 'Authorization' and 'Cookie' headers, during HTTP redirects. When a Guzzle client makes a request that results in a redirect response to a URI with a different port, the client is expected to remove these sensitive headers before following the redirect to prevent exposure of credentials or session information to unintended endpoints. However, in affected versions of Guzzle (all versions prior to 6.5.8 and versions from 7.0.0 up to but not including 7.4.5), the client only removed these headers if the redirect involved a change in host or scheme, but not if the redirect was to a different port on the same host and scheme. This oversight could lead to sensitive information being sent to an unauthorized actor if the redirect target is controlled by an attacker or is otherwise untrusted. A partial fix was introduced in version 7.4.2, which addressed removal of the Authorization header on host changes but did not cover changes in scheme or port. The full fix was implemented in version 7.4.5. Users unable to upgrade immediately are advised to disable automatic redirects or implement custom redirect middleware to ensure sensitive headers are not leaked. This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and is classified as medium severity. There are no known exploits in the wild at this time. The vulnerability affects a broad range of Guzzle versions, which is significant given Guzzle's popularity in PHP-based web applications and services.

For European organizations, the exposure of Authorization and Cookie headers during redirects can lead to unauthorized disclosure of authentication tokens, session cookies, or other sensitive credentials. This can facilitate unauthorized access to protected resources, user impersonation, or session hijacking. The impact is particularly critical for organizations handling sensitive personal data (e.g., financial institutions, healthcare providers, and government agencies) due to GDPR and other data protection regulations. Such exposure could result in data breaches, regulatory fines, reputational damage, and operational disruptions. Since Guzzle is commonly used in backend services, APIs, and web applications, the vulnerability could affect a wide range of applications, including internal tools and customer-facing services. Attackers could exploit this vulnerability by inducing redirects to attacker-controlled endpoints on different ports, thereby capturing sensitive headers. Although no exploits are currently known, the potential for credential leakage makes this a significant risk, especially in environments where redirects are common or where applications interact with multiple services across different ports.

European organizations should prioritize upgrading Guzzle to version 7.4.5 or later, or to 6.5.8 if using the 6.x series, to ensure the vulnerability is fully patched. If immediate upgrade is not feasible, organizations should disable automatic redirect following in Guzzle to prevent unintended header leakage. Alternatively, implement custom redirect middleware that explicitly removes Authorization and Cookie headers on any redirect, including those involving port changes. Conduct a thorough audit of all applications and services using Guzzle to identify affected versions and assess redirect usage patterns. Additionally, review and restrict redirect targets to trusted domains and ports only, minimizing the risk of redirect-based attacks. Monitor application logs for unusual redirect behavior or unexpected outbound requests to unfamiliar ports. Employ network-level controls such as firewall rules to restrict outbound traffic to known safe ports and domains. Finally, educate developers and DevOps teams about secure handling of sensitive headers during redirects and incorporate this knowledge into secure coding guidelines and code reviews.