guzzlehttp/psr7 CRLF Injection via Host Header
guzzlehttp/psr7 now rejects ASCII control characters, whitespace, and DEL in first-party URI host components, preventing CRLF injection into serialized Host hea
What changed
guzzlehttp/psr7 now rejects ASCII control characters, whitespace, and DEL in first-party URI host components, preventing CRLF injection into serialized Host headers.
Who it affects
Applications that manually serialize PSR-7 requests into raw HTTP/1.x messages, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, or similar request-dispatch code without independently validating URI hosts.
What to do today
Upgrade to version 2.10.2 or later. If unable to upgrade, validate and reject untrusted URI strings containing ASCII control characters, whitespace, or DEL before constructing PSR-7 Uri or Request instances.