CVE-2022-31042
📋 TL;DR
Guzzle HTTP client versions before 6.5.7 and 7.4.4 expose sensitive cookie information during HTTP redirects. When a request to an HTTPS server redirects to HTTP or to a different host, manually added Cookie headers are improperly forwarded, potentially leaking session tokens or authentication cookies. This affects PHP applications using vulnerable Guzzle versions for HTTP requests.
💻 Affected Systems
- Guzzle HTTP client
📦 What is this software?
Drupal by Drupal
Drupal by Drupal
Drupal by Drupal
Drupal by Drupal
Drupal by Drupal
Guzzle by Guzzlephp
Guzzle by Guzzlephp
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept sensitive cookies during redirects, leading to session hijacking, account takeover, or unauthorized access to user accounts and data.
Likely Case
Session cookies or authentication tokens are exposed when applications follow redirects to less secure HTTP endpoints or different domains, enabling credential theft.
If Mitigated
With proper network segmentation and monitoring, exposure is limited to internal traffic, reducing external attack surface.
🎯 Exploit Status
Exploitation requires control over redirect targets or ability to intercept traffic, but the vulnerability itself is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Guzzle 6.5.7 or 7.4.4
Vendor Advisory: https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
Restart Required: No
Instructions:
1. Update Guzzle via Composer: 'composer require guzzlehttp/guzzle:^6.5.7' or 'composer require guzzlehttp/guzzle:^7.4.4'. 2. Run 'composer update'. 3. Test application functionality.
🔧 Temporary Workarounds
Disable redirects
allPrevent Guzzle from following redirects entirely
$client = new \GuzzleHttp\Client(['allow_redirects' => false]);
Custom redirect middleware
allImplement custom redirect handling to strip Cookie headers manually
🧯 If You Can't Patch
- Implement network monitoring for suspicious redirect patterns
- Use application firewalls to block redirects to HTTP or external domains
🔍 How to Verify
Check if Vulnerable:
Check composer.json or run 'composer show guzzlehttp/guzzle' to see installed versionCheck Version:
composer show guzzlehttp/guzzle | grep versionsVerify Fix Applied:
Confirm version is 6.5.7+ or 7.4.4+ and test redirect scenarios📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in application logs
- Requests to HTTP endpoints after HTTPS origins
Network Indicators:
- Cookie headers in HTTP traffic after HTTPS redirects
- Cross-domain redirects with preserved cookies
SIEM Query:
source="application.logs" AND "redirect" AND ("http://" OR "different-host")🔗 References
- https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8
- https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
- https://www.debian.org/security/2022/dsa-5246
- https://www.drupal.org/sa-core-2022-011
- https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx
- https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8
- https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
- https://www.debian.org/security/2022/dsa-5246
- https://www.drupal.org/sa-core-2022-011
- https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx
