CVE-2022-31109: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in laminas laminas-diactoros
laminas-diactoros is a PHP package containing implementations of the PSR-7 HTTP message interfaces and PSR-17 HTTP message factory interfaces. Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\Diactoros\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-*` headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning. Since the `X-Forwarded-*` headers do have valid use cases, particularly in clustered environments using a load balancer, the library offers mitigation measures only in the v2 releases, as doing otherwise would break these use cases immediately. Users of v2 releases from 2.11.1 can provide an additional argument to `Laminas\Diactoros\ServerRequestFactory::fromGlobals()` in the form of a `Laminas\Diactoros\RequestFilter\RequestFilterInterface` instance, including the shipped `Laminas\Diactoros\RequestFilter\NoOpRequestFilter` implementation which ignores the `X-Forwarded-*` headers. Starting in version 3.0, the library will reverse behavior to use the `NoOpRequestFilter` by default, and require users to opt-in to `X-Forwarded-*` header usage via a configured `Laminas\Diactoros\RequestFilter\LegacyXForwardedHeaderFilter` instance. Users are advised to upgrade to version 2.11.1 or later to resolve this issue. Users unable to upgrade may configure web servers to reject `X-Forwarded-*` headers at the web server level.
AI Analysis
Technical Summary
CVE-2022-31109 is a medium-severity vulnerability affecting the laminas-diactoros PHP package, which implements PSR-7 HTTP message interfaces and PSR-17 HTTP message factory interfaces. The vulnerability arises from improper handling of the X-Forwarded-* HTTP headers, which are commonly used in proxy and load-balanced environments to convey the original client request's host, protocol, and port. In versions of laminas-diactoros prior to 2.11.1, applications that use this package and are either directly accessible or accessible via untrusted proxies can have the host, protocol, and port values of a Laminas\Diactoros\Uri instance manipulated by an attacker through crafted X-Forwarded-* headers. This manipulation can lead to Cross-Site Scripting (XSS) attacks if the application uses fully-qualified URLs in links or other output contexts, as malicious input is not properly neutralized before being included in web page generation. Additionally, this can cause URL poisoning, potentially misleading users or causing other security issues. The package authors addressed this issue starting with version 2.11.1 by introducing an optional RequestFilterInterface argument to the ServerRequestFactory::fromGlobals() method. This allows users to specify how X-Forwarded-* headers are handled, including a NoOpRequestFilter implementation that ignores these headers to prevent exploitation. From version 3.0 onward, the default behavior is to ignore X-Forwarded-* headers unless explicitly enabled via a LegacyXForwardedHeaderFilter, thus reversing the previous default and enhancing security. For users unable to upgrade, mitigating controls include configuring web servers to reject or sanitize X-Forwarded-* headers to prevent malicious manipulation. No known exploits have been reported in the wild, but the vulnerability presents a risk in environments where untrusted proxies are present and the application relies on laminas-diactoros for HTTP message handling.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those running web applications built on PHP frameworks or custom applications that utilize laminas-diactoros for HTTP message processing. Exploitation could allow attackers to perform reflected XSS attacks, leading to session hijacking, credential theft, or delivery of malicious payloads to end users. This can damage organizational reputation, lead to data breaches, and cause regulatory compliance issues under GDPR due to compromised user data confidentiality and integrity. URL poisoning could also mislead users or disrupt application workflows. Organizations operating in sectors with high web exposure, such as e-commerce, finance, healthcare, and government, are particularly at risk. The vulnerability's exploitation requires the ability to send crafted HTTP requests with malicious X-Forwarded-* headers, which is feasible if the application is accessible via untrusted proxies or not properly isolated behind trusted infrastructure. Given the widespread use of PHP and the laminas framework in Europe, the scope of affected systems is non-trivial. However, the absence of known active exploits reduces immediate risk, though the vulnerability remains a viable attack vector if left unmitigated.
Mitigation Recommendations
1. Upgrade laminas-diactoros to version 2.11.1 or later, ideally to version 3.0 or beyond, to benefit from the improved default handling of X-Forwarded-* headers and the ability to explicitly control their processing via RequestFilterInterface implementations. 2. For applications that cannot upgrade immediately, implement web server-level controls to reject or sanitize X-Forwarded-* headers. This can be done using configuration directives in Apache (mod_headers, mod_rewrite), Nginx (map and set directives), or other reverse proxies to drop or validate these headers before they reach the application. 3. Audit application code to ensure that any use of fully-qualified URLs derived from user-controllable input is properly escaped or sanitized to prevent XSS. 4. Review proxy and load balancer configurations to ensure that only trusted proxies can inject or modify X-Forwarded-* headers, and that untrusted sources cannot influence these headers. 5. Implement Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks by restricting script execution contexts. 6. Conduct penetration testing and code reviews focusing on HTTP header handling and URL generation to identify similar issues. 7. Monitor web application logs for suspicious or malformed X-Forwarded-* headers that could indicate attempted exploitation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2022-31109: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in laminas laminas-diactoros
Description
laminas-diactoros is a PHP package containing implementations of the PSR-7 HTTP message interfaces and PSR-17 HTTP message factory interfaces. Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\Diactoros\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-*` headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning. Since the `X-Forwarded-*` headers do have valid use cases, particularly in clustered environments using a load balancer, the library offers mitigation measures only in the v2 releases, as doing otherwise would break these use cases immediately. Users of v2 releases from 2.11.1 can provide an additional argument to `Laminas\Diactoros\ServerRequestFactory::fromGlobals()` in the form of a `Laminas\Diactoros\RequestFilter\RequestFilterInterface` instance, including the shipped `Laminas\Diactoros\RequestFilter\NoOpRequestFilter` implementation which ignores the `X-Forwarded-*` headers. Starting in version 3.0, the library will reverse behavior to use the `NoOpRequestFilter` by default, and require users to opt-in to `X-Forwarded-*` header usage via a configured `Laminas\Diactoros\RequestFilter\LegacyXForwardedHeaderFilter` instance. Users are advised to upgrade to version 2.11.1 or later to resolve this issue. Users unable to upgrade may configure web servers to reject `X-Forwarded-*` headers at the web server level.
AI-Powered Analysis
Technical Analysis
CVE-2022-31109 is a medium-severity vulnerability affecting the laminas-diactoros PHP package, which implements PSR-7 HTTP message interfaces and PSR-17 HTTP message factory interfaces. The vulnerability arises from improper handling of the X-Forwarded-* HTTP headers, which are commonly used in proxy and load-balanced environments to convey the original client request's host, protocol, and port. In versions of laminas-diactoros prior to 2.11.1, applications that use this package and are either directly accessible or accessible via untrusted proxies can have the host, protocol, and port values of a Laminas\Diactoros\Uri instance manipulated by an attacker through crafted X-Forwarded-* headers. This manipulation can lead to Cross-Site Scripting (XSS) attacks if the application uses fully-qualified URLs in links or other output contexts, as malicious input is not properly neutralized before being included in web page generation. Additionally, this can cause URL poisoning, potentially misleading users or causing other security issues. The package authors addressed this issue starting with version 2.11.1 by introducing an optional RequestFilterInterface argument to the ServerRequestFactory::fromGlobals() method. This allows users to specify how X-Forwarded-* headers are handled, including a NoOpRequestFilter implementation that ignores these headers to prevent exploitation. From version 3.0 onward, the default behavior is to ignore X-Forwarded-* headers unless explicitly enabled via a LegacyXForwardedHeaderFilter, thus reversing the previous default and enhancing security. For users unable to upgrade, mitigating controls include configuring web servers to reject or sanitize X-Forwarded-* headers to prevent malicious manipulation. No known exploits have been reported in the wild, but the vulnerability presents a risk in environments where untrusted proxies are present and the application relies on laminas-diactoros for HTTP message handling.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those running web applications built on PHP frameworks or custom applications that utilize laminas-diactoros for HTTP message processing. Exploitation could allow attackers to perform reflected XSS attacks, leading to session hijacking, credential theft, or delivery of malicious payloads to end users. This can damage organizational reputation, lead to data breaches, and cause regulatory compliance issues under GDPR due to compromised user data confidentiality and integrity. URL poisoning could also mislead users or disrupt application workflows. Organizations operating in sectors with high web exposure, such as e-commerce, finance, healthcare, and government, are particularly at risk. The vulnerability's exploitation requires the ability to send crafted HTTP requests with malicious X-Forwarded-* headers, which is feasible if the application is accessible via untrusted proxies or not properly isolated behind trusted infrastructure. Given the widespread use of PHP and the laminas framework in Europe, the scope of affected systems is non-trivial. However, the absence of known active exploits reduces immediate risk, though the vulnerability remains a viable attack vector if left unmitigated.
Mitigation Recommendations
1. Upgrade laminas-diactoros to version 2.11.1 or later, ideally to version 3.0 or beyond, to benefit from the improved default handling of X-Forwarded-* headers and the ability to explicitly control their processing via RequestFilterInterface implementations. 2. For applications that cannot upgrade immediately, implement web server-level controls to reject or sanitize X-Forwarded-* headers. This can be done using configuration directives in Apache (mod_headers, mod_rewrite), Nginx (map and set directives), or other reverse proxies to drop or validate these headers before they reach the application. 3. Audit application code to ensure that any use of fully-qualified URLs derived from user-controllable input is properly escaped or sanitized to prevent XSS. 4. Review proxy and load balancer configurations to ensure that only trusted proxies can inject or modify X-Forwarded-* headers, and that untrusted sources cannot influence these headers. 5. Implement Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks by restricting script execution contexts. 6. Conduct penetration testing and code reviews focusing on HTTP header handling and URL generation to identify similar issues. 7. Monitor web application logs for suspicious or malformed X-Forwarded-* headers that could indicate attempted exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9844c4522896dcbf3861
Added to database: 5/21/2025, 9:09:24 AM
Last enriched: 6/23/2025, 1:50:07 AM
Last updated: 8/17/2025, 1:00:32 PM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.