The guzzlehttp/psr7 PHP library versions before 2.10.2 do not properly reject ASCII control characters, whitespace, or DEL characters in the URI host component. This improper input validation can allow an attacker to inject CRLF or other header-unsafe characters into the host header, causing the serialized HTTP request to contain additional attacker-controlled headers. This vulnerability affects applications that use user-controlled URLs for outbound HTTP requests, such as URL forwarding, proxying, crawling, or webhook delivery. The malformed requests can contribute to HTTP request smuggling or cache poisoning depending on downstream parsing. The issue is patched in version 2.10.2. Version 1.x is end-of-life and unpatched. Workarounds include validating and rejecting untrusted URI strings containing control characters before constructing PSR-7 Uri or Request instances.

Exploitation can lead to injection of additional HTTP headers in outbound requests, potentially enabling HTTP request smuggling or cache poisoning in environments with HTTP/1.1 connection reuse, proxies, gateways, or load balancers. The integrity of HTTP requests can be compromised, impacting request dispatch flows such as forwarding, proxying, or webhook delivery. There is no direct confidentiality or availability impact reported.

A fix is available in guzzlehttp/psr7 version 2.10.2 and later; upgrading to this version or newer fully mitigates the vulnerability. Version 1.x is end-of-life and will not receive a patch. As a workaround, applications should validate and reject all untrusted URI strings containing ASCII control characters, whitespace, or DEL characters before constructing PSR-7 Uri or Request objects. Additionally, ensure that the HTTP client or serializer used rejects invalid URI and header data before sending requests to the network.