CVE-2023-29197

MEDIUM5.3EPSS 4.8%

php-guzzlehttp-psr7 - security update

Published: 4/19/2023Modified: 3/9/2026

Also known as:GHSA-wxmh-65f7-jcvwDEBIAN-CVE-2023-29197DLA-3705-1

Description

### Impact Improper header parsing. An attacker could sneak in a newline (`\n`) into both the header names and values. While the specification states that `\r\n\r\n` is used to terminate the header list, many servers in the wild will also accept `\n\n`. ### Patches The issue is patched in 1.9.1 and 2.4.5. ### Workarounds There are no known workarounds. ### References * https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Affected packages (4)

Debian/php-guzzlehttp-psr7from 0, < 1.7.0-1+deb11u2
Debian/php-guzzlehttp-psr7from 0, < 1.4.2-0.1+deb10u2
Debian/php-nyholm-psr7from 0, < 1.3.2-2+deb11u1
Packagist/guzzlehttp/psr7from 0, < 1.9.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (11)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-29197
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-29197
PATCHhttps://github.com/guzzle/psr7
WEBhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml
WEBhttps://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
WEBhttps://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
WEBhttps://lists.debian.org/debian-lts-announce/2023/12/msg00028.html
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U
WEBhttps://www.rfc-editor.org/rfc/rfc7230#section-3.2.4