CVE-2023-29197— Improper header name validation in guzzlehttp/psr7
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-29197
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper header name validation in guzzlehttp/psr7
Source: NVD (National Vulnerability Database)
Vulnerability Description
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
解释冲突
Source: NVD (National Vulnerability Database)
Vulnerability Title
PSR-7 Message Implementation 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
PSR-7 Message Implementation是一个完整的 PSR-7 消息实现。 PSR-7 Message Implementation 存在安全漏洞,该漏洞源于存在不正确的标头解析问题,攻击者利用该漏洞可以在标头名称和值中加入换行符。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2023-29197
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-29197
请登录查看更多情报信息。
- https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4x_refsource_MISC
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775x_refsource_MISC
- https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvwx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2023-29197
IV. Related Vulnerabilities
Same vendor: guzzle
- CVE-2025-21617
Guzzle OAuth Subscriber has insufficient nonce entropy - CVE-2022-31090
CURLOPT_HTTPAUTH option not cleared on change of origin in G - CVE-2022-31091
Change in port should be considered a change in origin in Gu - CVE-2022-31042
Failure to strip the Cookie header on change in host or HTTP - CVE-2022-31043
Fix failure to strip Authorization header on HTTP downgrade
Same weakness: CWE-436
- CVE-2026-42273
Heimdall: Case-sensitive host matching may lead to policy by - CVE-2026-42272
Heimdall: Case-sensitive handling of URL-encoded slashes may - CVE-2026-30246
github.com/gofiber/fiber/v3 cache middleware can mix respons - CVE-2026-6322
fast-uri vulnerable to host confusion via percent-encoded au - CVE-2026-41248
Official Clerk JavaScript SDKs: Middleware-based route prot
V. Comments for CVE-2023-29197
No comments yet