php · guzzlehttp/guzzleHeads-up
guzzlehttp/guzzle CookieJar Accepts Dot-Only Domain Attribute
CookieJar incorrectly accepts cookies with a dot-only Domain attribute, allowing them to match any request host.
What changed
CookieJar incorrectly accepts cookies with a dot-only Domain attribute, allowing them to match any request host. Fixed in 7.12.1 by rejecting dot-only domains and preventing empty normalized domain from matching.
Who it affects
Applications using Guzzle's cookie support (e.g., new Client(['cookies' => true]) or shared CookieJar) that reuse the same jar across attacker-controlled and trusted origins.
What to do today
Upgrade to guzzlehttp/guzzle version 7.12.1 or later. If unable to upgrade, use separate CookieJar instances per origin or disable cookie handling for untrusted hosts.
The trail
Collected→
Audited→
Written→
Published