Update dependency guzzlehttp/psr7 to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
guzzlehttp/psr7	^1.8.2 → ^2.10.2

---

guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation

CVE-2026-48998 / GHSA-34xg-wgjx-8xph

More information

Details

Impact

guzzlehttp/psr7 improperly interpreted malformed Host header values when constructing request URIs from inbound request data. This issue concerns inbound request parsing and server request construction. It does not require serializing a PSR-7 request, and it is not part of the normal outbound request-sending path used by guzzlehttp/guzzle.

A vulnerable flow is:

1. An attacker controls a raw HTTP request or server variable containing a Host value.
2. The Host value contains URI authority delimiters, such as trusted.example@evil.example.
3. guzzlehttp/psr7 uses that value to construct a URI.
4. The URI parser treats the portion before @ as userinfo and the portion after @ as the URI host.
5. The resulting PSR-7 request URI host differs from the original Host header value.

For example, Host: trusted.example@evil.example can result in a PSR-7 URI whose host is evil.example, while the original Host header value remains trusted.example@evil.example.

Applications are affected if they parse attacker-controlled raw HTTP requests with GuzzleHttp\Psr7\Message::parseRequest() or the legacy 1.x GuzzleHttp\Psr7\parse_request() function, or if they build server requests from attacker-controlled server variables with GuzzleHttp\Psr7\ServerRequest::fromGlobals() or GuzzleHttp\Psr7\ServerRequest::getUriFromGlobals(), and then rely on the resulting URI host for routing, allow-list checks, credential selection, or forwarding decisions. Applications using guzzlehttp/psr7 only through Guzzle's standard HTTP client APIs are not expected to be affected. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host.

Patches

The issue is patched in 2.10.2 and later. 1.x is end-of-life and will not receive a patch.

Workarounds

If you cannot upgrade immediately, validate Host values before passing untrusted request data to Message::parseRequest(), legacy 1.x parse_request(), ServerRequest::fromGlobals(), or ServerRequest::getUriFromGlobals().

Accept only uri-host [ ":" port ]. Reject values containing whitespace, control characters, userinfo (@), path (/ or \), query (?), fragment (#), malformed IP literals or bracket syntax, or invalid port syntax.

Do not validate Host by prefixing it with http:// and passing it to parse_url(), because that can reinterpret malformed values as URI userinfo and host.

References

• https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2
• https://www.rfc-editor.org/rfc/rfc9112.html#section-3.3
• https://www.rfc-editor.org/rfc/rfc9110.html#section-4.2.4
• https://www.rfc-editor.org/rfc/rfc9110.html#section-7.2

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/guzzle/psr7/security/advisories/GHSA-34xg-wgjx-8xph
• https://nvd.nist.gov/vuln/detail/CVE-2026-48998
• https://github.com/advisories/GHSA-34xg-wgjx-8xph

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

guzzlehttp/psr7 has CRLF Injection via URI Host Component

CVE-2026-49214 / GHSA-hq7v-mx3g-29hw

More information

Details

Impact

guzzlehttp/psr7 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with GuzzleHttp\Psr7\Message::toString() or an equivalent custom serializer. Creating a Uri, Request, or other PSR-7 object alone is not sufficient. The malformed host must be copied into the serialized Host header without further validation.

A vulnerable flow is:

1. An application accepts a user-controlled URL.
2. The URL is used to construct a PSR-7 Uri or Request.
3. The host component contains CRLF or another header-unsafe character.
4. The request is serialized into a raw HTTP/1.x message without an explicit Host header.
5. The host is copied into the serialized Host header.
6. The serialized request is written to the network or otherwise processed by software that does not independently reject the malformed host.

In that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing "\r\nX-Injected: yes" can cause the generated Host header to span multiple HTTP header lines.

This is not the normal request-sending path used by guzzlehttp/guzzle. Applications using guzzlehttp/psr7 only through Guzzle's standard HTTP client APIs are not expected to be affected. Applications are most likely to be affected when they manually serialize PSR-7 requests, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, or similar request-dispatch code that serializes requests without independently validating URI hosts and header data. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed serialized request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request.

Patches

The issue is patched in 2.10.2 and later. 1.x is end-of-life and will not receive a patch.

Workarounds

If you cannot upgrade immediately, validate and reject all untrusted URI strings before constructing PSR-7 Uri or Request instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters:

if (preg_match('/[\x00-\x20\x7F]/', $untrustedUrl)) {
    throw new \InvalidArgumentException('Insecure URL detected');
}

Applications that manually serialize or forward requests should also ensure the final HTTP client, transport, or serializer rejects invalid URI and header data before writing requests to the network.

References

• https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2
• https://www.rfc-editor.org/rfc/rfc9112.html#section-5
• https://www.rfc-editor.org/rfc/rfc9112.html#section-11.2
• https://www.rfc-editor.org/rfc/rfc9110.html#section-7.2

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/guzzle/psr7/security/advisories/GHSA-hq7v-mx3g-29hw
• https://nvd.nist.gov/vuln/detail/CVE-2026-49214
• https://github.com/advisories/GHSA-hq7v-mx3g-29hw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

guzzle/psr7 (guzzlehttp/psr7)

v2.10.2

Compare Source

Security

• Reject control and whitespace characters in URI host components (GHSA-hq7v-mx3g-29hw)
• Reject malformed Host values when constructing request URIs (GHSA-34xg-wgjx-8xph)

Fixed

• Make ServerRequest::fromGlobals() robust against unexpected HTTP header value types in $_SERVER

v2.10.1

Compare Source

Fixed

• Fix Utils::modifyRequest() with numeric header names

v2.10.0

Compare Source

Changed

• Harden ServerRequest::fromGlobals() against malformed $_SERVER values
• Prevent custom stream metadata from affecting internal size handling
• Throw when StreamWrapper::getResource() cannot create a resource
• Preserve custom request implementations in Utils::modifyRequest()
• Preserve custom URI implementations in UriResolver::resolve()
• Make Uri::__toString() side-effect-free

v2.9.1

Compare Source

Fixed

• Fix parsing of relative path references containing a colon in a non-initial path segment
• Fix CachingStream::detach() returning an incomplete resource before the decorated stream has been fully read
• Fix Message::bodySummary() returning null when truncating printable UTF-8 bodies inside a multibyte character

v2.9.0

Compare Source

Added

• Added nested array expansion support to MultipartStream
• Added @return static to MessageTrait methods

Changed

• Updated MIME type mappings

v2.8.1

Compare Source

Fixed

• Encode + signs in Uri::withQueryValue() and Uri::withQueryValues() to prevent them being interpreted as spaces

v2.8.0

Compare Source

Added

• Allow empty lists as header values

Changed

• PHP 8.5 support

v2.7.1

Compare Source

Fixed

• Fixed uppercase IPv6 addresses in URI

Changed

• Improve uploaded file error message

v2.7.0

Compare Source

Added

• Add Utils::redactUserInfo() method
• Add ability to encode bools as ints in Query::build

v2.6.3

Compare Source

Fixed

• Make StreamWrapper::stream_stat() return false if inner stream's size is null

Changed

• PHP 8.4 support

v2.6.2

Compare Source

Fixed

• Fixed another issue with the fact that PHP transforms numeric strings in array keys to ints

Changed

• Updated links in docs to their canonical versions
• Replaced call_user_func* with native calls

v2.6.1

Compare Source

Fixed

• Properly handle the fact that PHP transforms numeric strings in array keys to ints

v2.6.0

Compare Source

Changed

• Updated the mime type map to add some new entries, fix a couple of invalid entries, and remove an invalid entry
• Fallback to application/octet-stream if we are unable to guess the content type for a multipart file upload

v2.5.1

Compare Source

Fixed

• Corrected mime type for .acc files to audio/aac

Changed

• PHP 8.3 support

v2.5.0

Compare Source

Changed

• Adjusted psr/http-message version constraint to ^1.1 || ^2.0

v2.4.5

Compare Source

Fixed

• Prevent possible warnings on unset variables in ServerRequest::normalizeNestedFileSpec
• Fixed Message::bodySummary when preg_match fails
• Fixed header validation issue

v2.4.4

Compare Source

Changed

• Removed the need for AllowDynamicProperties in LazyOpenStream

v2.4.3

Compare Source

Changed

• Replaced sha1(uniqid()) by bin2hex(random_bytes(20))

v2.4.2

Compare Source

Fixed

• Fixed erroneous behaviour when combining host and relative path

v2.4.1

Compare Source

Fixed

• Rewind body before reading in Message::bodySummary

v2.4.0

Compare Source

Added

• Added provisional PHP 8.2 support
• Added UriComparator::isCrossOrigin method

v2.3.0

Compare Source

Fixed

• Added Header::splitList method
• Added Utils::tryGetContents method
• Improved Stream::getContents method
• Updated mimetype mappings

v2.2.2

Compare Source

Fixed

• Fix Message::parseRequestUri for numeric headers
• Re-wrap exceptions thrown in fread into runtime exceptions
• Throw an exception when multipart options is misformatted

v2.2.1

Compare Source

Fixed

• Correct header value validation

v2.2.0

Compare Source

Added

• A more compressive list of mime types
• Add JsonSerializable to Uri
• Missing return types

Fixed

• Bug MultipartStream no uri metadata
• Bug MultipartStream with filename for data:// streams
• Fixed new line handling in MultipartStream
• Reduced RAM usage when copying streams
• Updated parsing in Header::normalize()

v2.1.2

Compare Source

See change log for changes.

v2.1.1

Compare Source

Fixed

• Validate header values properly

v2.1.0

Compare Source

Changed

• Attempting to create a Uri object from a malformed URI will no longer throw a generic
  InvalidArgumentException, but rather a MalformedUriException, which inherits from the former
  for backwards compatibility. Callers relying on the exception being thrown to detect invalid
  URIs should catch the new exception.

Fixed

• Return null in caching stream size if remote size is null

v2.0.0

Compare Source

Identical to the RC release.

v1.9.1

Compare Source

See change log for changes.

v1.9.0

Compare Source

See change log for changes.

v1.8.5

Compare Source

See change log for changes.

v1.8.4

Compare Source

See change log for changes.

v1.8.3

Compare Source

See change log for changes.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.