CVE-2022-31042
CVE-2022-31042 is a high-severity vulnerability in Guzzlephp Guzzle with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-212.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 2% (76th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-212
- Affected product: Guzzlephp Guzzle
- Published:
- Last modified:
Description
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
Frequently asked questions
- What is CVE-2022-31042?
- Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
- How severe is CVE-2022-31042?
- CVE-2022-31042 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2022-31042 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (76th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-31042?
- CVE-2022-31042 primarily affects Guzzlephp Guzzle. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-31042?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-31042 published?
- CVE-2022-31042 was published on 2022-06-10 and last updated on 2026-06-17.
References
- https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8
- https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
- https://www.debian.org/security/2022/dsa-5246
- https://www.drupal.org/sa-core-2022-011
- https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx
Affected products (6)
- cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:9.4.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:9.4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:9.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
More vulnerabilities in Guzzlephp Guzzle
- CVE-2022-29248 — High (CVSS 8.0): Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie…
- CVE-2022-31091 — High (CVSS 7.7): Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In…
- CVE-2022-31090 — High (CVSS 7.7): Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected…
- CVE-2022-31043 — High (CVSS 7.5): Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive…
- CVE-2026-55568 — Medium (CVSS 5.9): Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected…
- CVE-2026-55767 — Medium (CVSS 5.8): Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain…
All CVEs affecting Guzzlephp Guzzle →
Other CWE-212 vulnerabilities
- CVE-2022-2818 — Critical (CVSS 9.8): Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to…
- CVE-2020-11684 — Critical (CVSS 9.1): AT91bootstrap before 3.9.2 does not properly wipe encryption and authentication keys from memory before passing control…
- CVE-2026-39937 — High (CVSS 8.8): Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation…
- CVE-2022-30617 — High (CVSS 8.8): An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and…
- CVE-2022-0355 — High (CVSS 8.8): Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
- CVE-2021-0340 — High (CVSS 8.8): In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input…