CVE-2022-29248— Cross-domain cookie leakage in Guzzle
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-29248
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-domain cookie leakage in Guzzle
Source: NVD (National Vulnerability Database)
Vulnerability Description
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Guzzle 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Guzzle是guzzlehttp个人开发者的一个 PHP HTTP 客户端,可以轻松发送 HTTP 请求并轻松与 Web 服务集成。 Guzzle 7.0.0版本至7.4.3版本,以及6.5.6之前的版本存在信息泄露漏洞,该漏洞允许恶意服务器为不相关的域设置cookie,攻击者可以利用该漏洞从Guzzle 客户端登录到他们的帐户,并从其帐户的安全日志中检索私有 API 请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2022-29248
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-29248
请登录查看更多情报信息。
- https://www.debian.org/security/2022/dsa-5246vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-29248
IV. Related Vulnerabilities
Same product: guzzle
Same vendor: guzzle
- CVE-2025-21617
Guzzle OAuth Subscriber has insufficient nonce entropy - CVE-2023-29197
Improper header name validation in guzzlehttp/psr7 - CVE-2022-31090
CURLOPT_HTTPAUTH option not cleared on change of origin in G - CVE-2022-31091
Change in port should be considered a change in origin in Gu - CVE-2022-31042
Failure to strip the Cookie header on change in host or HTTP
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2022-29248
No comments yet