CVE-2022-31090
CVE-2022-31090 is a high-severity vulnerability in Guzzlephp Guzzle with a CVSS 3.x base score of 7.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-212.
Key facts
- Severity: High (CVSS 3.x base score 7.7)
- CVSS v2: 4.0
- EPSS exploit prediction: 2% (75th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-212
- Affected product: Guzzlephp Guzzle
- Published:
- Last modified:
Description
Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.
Frequently asked questions
- What is CVE-2022-31090?
- Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.
- How severe is CVE-2022-31090?
- CVE-2022-31090 has a CVSS 3.x base score of 7.7, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2022-31090 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (75th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-31090?
- CVE-2022-31090 primarily affects Guzzlephp Guzzle. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-31090?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-31090 published?
- CVE-2022-31090 was published on 2022-06-27 and last updated on 2026-06-17.
References
- https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82
- https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
- https://security.gentoo.org/glsa/202305-24
- https://www.debian.org/security/2022/dsa-5246
Affected products (2)
- cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
More vulnerabilities in Guzzlephp Guzzle
- CVE-2022-29248 — High (CVSS 8.0): Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie…
- CVE-2022-31091 — High (CVSS 7.7): Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In…
- CVE-2022-31043 — High (CVSS 7.5): Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive…
- CVE-2022-31042 — High (CVSS 7.5): Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive…
- CVE-2026-55568 — Medium (CVSS 5.9): Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected…
- CVE-2026-55767 — Medium (CVSS 5.8): Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain…
All CVEs affecting Guzzlephp Guzzle →
Other CWE-212 vulnerabilities
- CVE-2022-2818 — Critical (CVSS 9.8): Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to…
- CVE-2020-11684 — Critical (CVSS 9.1): AT91bootstrap before 3.9.2 does not properly wipe encryption and authentication keys from memory before passing control…
- CVE-2026-39937 — High (CVSS 8.8): Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation…
- CVE-2022-30617 — High (CVSS 8.8): An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and…
- CVE-2022-0355 — High (CVSS 8.8): Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
- CVE-2021-0340 — High (CVSS 8.8): In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input…