CVE-2022-31090 – Guzzle PHP HTTP client versions before 6.5.8 an... (How to Fix)

Q: What is the severity of CVE-2022-31090?

CVE-2022-31090 has a CVSS score of 7.7 (HIGH). Guzzle PHP HTTP client versions before 6.5.8 and 7.4.5 leak Authorization headers during cross-origin redirects when using the cURL handler. This exposes authentication credentials to unintended third-party servers during HTTP redirects. All PHP applications using vulnerable Guzzle versions with redirects enabled are affected.

📋 TL;DR

Guzzle PHP HTTP client versions before 6.5.8 and 7.4.5 leak Authorization headers during cross-origin redirects when using the cURL handler. This exposes authentication credentials to unintended third-party servers during HTTP redirects. All PHP applications using vulnerable Guzzle versions with redirects enabled are affected.

💻 Affected Systems

Products:

Guzzle PHP HTTP Client

Versions: All versions before 6.5.8, and 7.x before 7.4.5

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using the cURL handler with redirects enabled. The stream handler is not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authentication tokens, API keys, or credentials are sent to malicious servers during redirects, leading to account takeover, data breaches, or unauthorized access to downstream services.

🟠

Likely Case

Accidental credential exposure to legitimate third-party services during normal redirect flows, potentially violating security policies and compliance requirements.

🟢

If Mitigated

Limited exposure with proper network segmentation and monitoring, but still represents an information disclosure vulnerability.

🌐 Internet-Facing: HIGH - Web applications making external API calls with authentication are directly exposed.

🏢 Internal Only: MEDIUM - Internal services using Guzzle for API calls could leak credentials within the internal network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires control over redirect targets. Attackers could set up malicious servers to capture leaked credentials during normal application redirects.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Guzzle 6.5.8 or 7.4.5

Vendor Advisory: https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r

Restart Required: No

Instructions:

1. Update Guzzle via Composer: 'composer require guzzlehttp/guzzle:^6.5.8' or 'composer require guzzlehttp/guzzle:^7.4.5'. 2. Run 'composer update'. 3. Test application functionality.

🔧 Temporary Workarounds

Disable Redirects

all

Prevent Guzzle from following HTTP redirects entirely

$client = new \GuzzleHttp\Client(['allow_redirects' => false]);

Use Stream Handler

all

Switch from cURL handler to stream handler backend

$client = new \GuzzleHttp\Client(['handler' => \GuzzleHttp\HandlerStack::create(new \GuzzleHttp\Handler\StreamHandler())]);

🧯 If You Can't Patch

Implement application-level redirect handling with manual header management
Use network monitoring to detect credential leakage to unauthorized domains

🔍 How to Verify

Check if Vulnerable:

Check composer.json or run 'composer show guzzlehttp/guzzle' to see installed version.

Check Version:

composer show guzzlehttp/guzzle | grep versions

Verify Fix Applied:

Confirm version is 6.5.8+ or 7.4.5+ via 'composer show guzzlehttp/guzzle' and test redirect scenarios.

📡 Detection & Monitoring

Log Indicators:

Unexpected outbound connections following redirects
Authentication failures on downstream services

Network Indicators:

Authorization headers sent to unexpected domains during redirect chains

SIEM Query:

source_ip:internal_servers AND dest_ip:external_domains AND http_header:'Authorization:' AND http_status:3xx

📊 Metadata

CVE ID: CVE-2022-31090

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-200

Published: June 27, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 Patch,Third Party Advisory
https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r Mitigation,Third Party Advisory
https://security.gentoo.org/glsa/202305-24 Third Party Advisory
https://www.debian.org/security/2022/dsa-5246 Third Party Advisory
https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 Patch,Third Party Advisory
https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r Mitigation,Third Party Advisory
https://security.gentoo.org/glsa/202305-24 Third Party Advisory
https://www.debian.org/security/2022/dsa-5246 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31090, you might also want to check these: