CVE-2022-29248
📋 TL;DR
Guzzle PHP HTTP client versions prior to 6.5.6 and 7.4.3 have a cookie domain validation vulnerability that allows malicious servers to set cookies for unrelated domains. Only applications that manually enable cookie middleware or construct clients with cookie support are affected. The vulnerability is disabled by default, limiting its impact.
💻 Affected Systems
- Guzzle PHP HTTP client
📦 What is this software?
Drupal by Drupal
Drupal by Drupal
Guzzle by Guzzlephp
Guzzle by Guzzlephp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could set malicious cookies for unrelated domains, potentially leading to session hijacking, authentication bypass, or cross-domain attacks if the vulnerable client interacts with untrusted servers.
Likely Case
Limited impact since cookie middleware is disabled by default; only applications explicitly enabling cookies and calling multiple domains without redirect protection are vulnerable.
If Mitigated
Minimal to no impact if cookie middleware is disabled, same client isn't used for multiple domains, or redirect forwarding is disabled.
🎯 Exploit Status
Exploitation requires a malicious server to interact with a vulnerable Guzzle client; no authentication needed on client side.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Guzzle 6.5.6 and 7.4.3
Vendor Advisory: https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
Restart Required: No
Instructions:
1. Update Guzzle via Composer: 'composer require guzzlehttp/guzzle:^6.5.6' for v6 or 'composer require guzzlehttp/guzzle:^7.4.3' for v7. 2. Run 'composer update' to apply changes. 3. No server restart required.
🔧 Temporary Workarounds
Disable cookie middleware
allTurn off cookie middleware in Guzzle configuration to prevent exploitation.
Ensure Guzzle client is not constructed with ['cookies' => true] and cookie middleware is not manually added to handler stack.
🧯 If You Can't Patch
- Disable cookie middleware in all Guzzle client configurations.
- Ensure vulnerable clients only communicate with trusted domains and disable redirect forwarding.
🔍 How to Verify
Check if Vulnerable:
Check composer.json for Guzzle version below 6.5.6 or 7.4.3, and verify if cookie middleware is enabled in code.Check Version:
composer show guzzlehttp/guzzle | grep versionsVerify Fix Applied:
Confirm Guzzle version is 6.5.6+ or 7.4.3+ via 'composer show guzzlehttp/guzzle' and review code to ensure cookie middleware isn't manually enabled.📡 Detection & Monitoring
Log Indicators:
- Unusual cookie headers from untrusted domains in HTTP responses
- Multiple domain requests from same Guzzle client instance with cookies enabled
Network Indicators:
- HTTP traffic showing Set-Cookie headers from servers to unrelated domains
SIEM Query:
source="web_logs" AND ("Set-Cookie" AND domain_mismatch) OR ("Guzzle" AND cookie_enabled)🔗 References
- https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
- https://github.com/guzzle/guzzle/pull/3018
- https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
- https://www.debian.org/security/2022/dsa-5246
- https://www.drupal.org/sa-core-2022-010
- https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
- https://github.com/guzzle/guzzle/pull/3018
- https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
- https://www.debian.org/security/2022/dsa-5246
- https://www.drupal.org/sa-core-2022-010
