GHSA-9jxr-mwpp-w643: Improper header validation in httpsoft/http-message
5.3
CVSS Score
3.1
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
Published
4/21/2023
Updated
4/21/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
httpsoft/http-message | composer | < 1.0.12 | 1.0.12 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper validation of header delimiters and newline characters. HTTP specifications require headers to be terminated with '\r\n\r\n', but many servers accept '\n\n'. Functions responsible for parsing headers (e.g., from globals or raw strings) are likely vulnerable if they: (1) split headers using '\n' instead of '\r\n', (2) allow '\n\n' as a header-body separator, or (3) fail to sanitize '\n' in header names/values. The ServerRequestFactory
and Message
classes are core components for header parsing in PSR-7 implementations, making these functions high-confidence candidates.