The guzzlehttp/psr7 PHP library versions before 2.12.1 improperly neutralize CRLF sequences in HTTP start-line fields (request method, protocol version, response reason phrase). This allows an attacker to inject additional HTTP header lines if attacker-controlled data is placed into these fields and the PSR-7 message is serialized (e.g., via Message::toString()) and sent or forwarded. The vulnerability can also be triggered by parsing malformed raw HTTP messages into PSR-7 objects and then serializing them again. Creating or modifying PSR-7 objects alone is insufficient; the serialized malformed message must be transmitted or processed by downstream software that does not reject malformed start lines. This vulnerability is addressed by rejecting CR/LF characters in these fields starting with guzzlehttp/psr7 version 2.12.1.

An attacker able to control data in the affected HTTP start-line fields could inject additional HTTP header lines into serialized HTTP messages. This can lead to HTTP response splitting or header injection issues if the serialized message is sent over the network or processed by vulnerable downstream components. The impact is limited by the requirement that the malformed message be serialized and forwarded to software that does not independently reject malformed start lines. The CVSS 3.1 base score is 4.8 (medium severity), reflecting limited impact and the complexity of exploitation.

Upgrade guzzlehttp/psr7 to version 2.12.1 or later, where this vulnerability is fixed by rejecting CR/LF characters in HTTP start-line fields. Until upgraded, ensure that any software processing serialized PSR-7 messages properly validates and rejects malformed start lines containing CR/LF sequences. No other specific mitigations are indicated.