CVE-2022-31043
CVE-2022-31043 is a high-severity vulnerability in Guzzlephp Guzzle with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-212.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 2% (76th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-212
- Affected product: Guzzlephp Guzzle
- Published:
- Last modified:
Description
Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.
Frequently asked questions
- What is CVE-2022-31043?
- Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.
- How severe is CVE-2022-31043?
- CVE-2022-31043 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2022-31043 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (76th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-31043?
- CVE-2022-31043 primarily affects Guzzlephp Guzzle. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-31043?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-31043 published?
- CVE-2022-31043 was published on 2022-06-10 and last updated on 2026-06-17.
References
- https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8
- https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
- https://www.debian.org/security/2022/dsa-5246
- https://www.drupal.org/sa-core-2022-011
- https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx
Affected products (6)
- cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:9.4.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:9.4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:9.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
More vulnerabilities in Guzzlephp Guzzle
- CVE-2022-29248 — High (CVSS 8.0): Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie…
- CVE-2022-31091 — High (CVSS 7.7): Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In…
- CVE-2022-31090 — High (CVSS 7.7): Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected…
- CVE-2022-31042 — High (CVSS 7.5): Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive…
- CVE-2026-55568 — Medium (CVSS 5.9): Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected…
- CVE-2026-55767 — Medium (CVSS 5.8): Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain…
All CVEs affecting Guzzlephp Guzzle →
Other CWE-212 vulnerabilities
- CVE-2022-2818 — Critical (CVSS 9.8): Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to…
- CVE-2020-11684 — Critical (CVSS 9.1): AT91bootstrap before 3.9.2 does not properly wipe encryption and authentication keys from memory before passing control…
- CVE-2026-39937 — High (CVSS 8.8): Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation…
- CVE-2022-30617 — High (CVSS 8.8): An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and…
- CVE-2022-0355 — High (CVSS 8.8): Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
- CVE-2021-0340 — High (CVSS 8.8): In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input…