The vulnerability in guzzlehttp/psr7 (prior to 2.10.2) involves improper input validation of the Host header during raw HTTP request parsing and server request URI derivation. An attacker can supply a malformed Host header containing URI authority delimiters (e.g., userinfo@host) that causes the constructed URI host to differ from the original Host header value. This discrepancy can lead to incorrect routing or forwarding decisions, potentially causing requests or credentials to be sent to unintended hosts. The vulnerability is addressed in version 2.10.2. The legacy 1.x versions are no longer maintained and remain vulnerable. Mitigation includes validating the Host header format before parsing or using the parsed URI for security decisions.

The vulnerability allows an attacker to manipulate the Host header to cause the application to interpret the request URI host differently from the original Host header. This can lead to forwarding requests or credentials to unintended hosts, potentially enabling misrouting or unauthorized access scenarios. The impact is limited to confidentiality (partial information disclosure or misrouting) with no direct integrity or availability impact reported. Exploitation requires attacker-controlled raw HTTP requests or server variables.

A fix is available in guzzlehttp/psr7 version 2.10.2. Users should upgrade to this version to remediate the vulnerability. For legacy 1.x versions, which are end-of-life and unpatched, apply workarounds by validating the Host header format as 'uri-host[:port]' before calling Message::parseRequest() or parse_request() on untrusted data. Reject Host headers containing userinfo, path, query, or fragment delimiters to prevent exploitation. Do not rely solely on the parsed URI host for routing or forwarding decisions without prior validation.