guzzlehttp/psr7 rejects CR/LF in HTTP method, protocol version, and reason phrase
guzzlehttp/psr7 now rejects CR/LF characters in HTTP method, protocol version, and response reason phrase values before storing them in first-party message obje
What changed
guzzlehttp/psr7 now rejects CR/LF characters in HTTP method, protocol version, and response reason phrase values before storing them in first-party message objects.
Who it affects
Applications that manually serialize PSR-7 messages, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, testing, or similar code. Applications using guzzlehttp/psr7 only through Guzzle's standard HTTP client APIs are not expected to be affected.
What to do today
Upgrade to version 2.12.1 or later. If unable to upgrade, reject CR/LF in untrusted method, protocol version, and reason phrase values before constructing or modifying PSR-7 messages.