guzzlehttp/psr7: Malformed Host header misinterpretation in URI construction

guzzlehttp/psr7 improperly interpreted malformed Host header values when constructing request URIs from inbound request data, potentially causing the URI host to differ from the original Host header.

Applications that parse attacker-controlled raw HTTP requests with Message::parseRequest() or legacy parse_request(), or build server requests from attacker-controlled server variables with ServerRequest::fromGlobals() or getUriFromGlobals(), and then rely on the resulting URI host for routing, allow-list checks, credential selection, or forwarding decisions.

Upgrade to version 2.10.2 or later. If unable to upgrade immediately, validate Host values before passing untrusted request data to the affected functions, rejecting values containing userinfo (@), path, query, fragment, or invalid syntax.