CVE-2022-24775

unknown

Published 2022-03-21 · Modified 2026-02-04

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2022-24775 NameCVE-2022-24775 Descriptionguzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS,…

Workaround

s. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Debian Bugs1008236 Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus php-guzzlehttp-psr7 (PTS)bullseye1.7.0-1+deb11u2fixed bookworm2.4.5-1fixed trixie2.7.1-1fixed forky2.9.0-2fixed sid2.10.3-1fixed The information below is based on the following data on fixed versions. PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs php-guzzlehttp-psr7sourcebuster1.4.2-0.1+deb10u1 php-guzzlehttp-psr7sourcebullseye1.7.0-1+deb11u1 php-guzzlehttp-psr7source(unstable)1.8.5-11008236 Notes https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96

CVE-2022-24775

Name	CVE-2022-24775
Description	guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1008236

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
php-guzzlehttp-psr7 (PTS)	bullseye	1.7.0-1+deb11u2	fixed
	bookworm	2.4.5-1	fixed
	trixie	2.7.1-1	fixed
	forky	2.9.0-2	fixed
	sid	2.10.3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
php-guzzlehttp-psr7	source	buster	1.4.2-0.1+deb10u1
php-guzzlehttp-psr7	source	bullseye	1.7.0-1+deb11u1
php-guzzlehttp-psr7	source	(unstable)	1.8.5-1	1008236

Notes

https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.8.5-1`
sid	Fixed	`1.8.5-1`
forky	Fixed	`1.8.5-1`
bullseye	Fixed	`1.7.0-1+deb11u1`
bookworm	Fixed	`1.8.5-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Packagist	drupal/core	`>=8.0.0,<9.2.16\|\|>=9.3.0,<9.3.9`	`9.2.16`
Packagist	guzzlehttp/psr7	`<1.8.4`	`1.8.4`
Packagist	guzzlehttp/psr7	`>=2.0.0,<2.1.1`	`2.1.1`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.