CVE-2022-24775 Overview
CVE-2022-24775 is an improper header parsing vulnerability in guzzlehttp/psr7, a widely-used PSR-7 HTTP message library for PHP. The vulnerability exists in versions prior to 1.8.4 and 2.1.1, where inadequate input validation allows attackers to inject newline characters into HTTP headers. This flaw enables malicious actors to pass untrusted values through header manipulation, potentially leading to HTTP response splitting attacks and other security compromises.
Critical Impact
Attackers can exploit improper header parsing to inject malicious headers via newline characters, potentially enabling HTTP response splitting, cache poisoning, and session hijacking attacks against applications using vulnerable versions of guzzlehttp/psr7.
Affected Products
- guzzlephp psr-7 (versions prior to 1.8.4 and 2.1.1)
- drupal drupal (dependent on vulnerable psr-7 library)
Discovery Timeline
- 2022-03-21 - CVE CVE-2022-24775 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24775
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the HTTP header parsing logic of guzzlehttp/psr7. The library fails to properly sanitize or reject newline characters (\r\n or \n) when processing HTTP header values. In HTTP protocol, headers are terminated by CRLF sequences, so allowing untrusted input to contain these characters enables attackers to effectively terminate one header prematurely and inject additional headers of their choosing.
The attack surface is significant as guzzlehttp/psr7 is a foundational library used by the popular Guzzle HTTP client and is widely adopted across the PHP ecosystem, including by Drupal core. Applications that pass user-controlled input into HTTP headers without additional sanitization are vulnerable to exploitation.
Root Cause
The root cause of CVE-2022-24775 is insufficient input validation in the header parsing functions of guzzlehttp/psr7. The library did not properly validate header values to ensure they do not contain newline characters before processing. This oversight allows attackers to craft malicious input containing \r\n or \n sequences that break out of the intended header context and inject arbitrary HTTP headers into the response.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying an application that uses a vulnerable version of guzzlehttp/psr7
- Finding an input vector where user-controlled data is incorporated into HTTP headers
- Crafting a malicious payload containing newline characters followed by injected header content
- Submitting the payload to inject arbitrary headers into HTTP responses
This can lead to HTTP response splitting attacks where the attacker controls portions of the HTTP response, potentially enabling cross-site scripting (XSS), cache poisoning, or session manipulation. For detailed technical information, refer to the GitHub Security Advisory GHSA-q7rv-6hp3-vh96.
Detection Methods for CVE-2022-24775
Indicators of Compromise
- Unusual HTTP header values in application logs containing encoded newline characters (%0d%0a, %0a)
- Unexpected or malformed HTTP responses being served to clients
- Web application firewall alerts for HTTP response splitting attempts
- Log entries showing header injection patterns in request parameters
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing newline character sequences in header-related parameters
- Monitor application logs for unusual header manipulation patterns or malformed requests
- Perform dependency scanning to identify vulnerable versions of guzzlehttp/psr7 in your PHP projects
- Use composer audit or similar tools to automatically detect known vulnerabilities in dependencies
Monitoring Recommendations
- Enable detailed logging for HTTP request and response headers in your application
- Configure intrusion detection systems (IDS) to alert on HTTP response splitting signatures
- Implement automated dependency vulnerability scanning in CI/CD pipelines
- Monitor for unexpected cache behavior that may indicate cache poisoning attempts
How to Mitigate CVE-2022-24775
Immediate Actions Required
- Update guzzlehttp/psr7 to version 1.8.4 or later (for 1.x branch) or 2.1.1 or later (for 2.x branch)
- Run composer update guzzle/psr7 to pull the latest patched version
- Review application code for any manual header manipulation that could bypass library protections
- Implement additional input validation for any user-controlled data that flows into HTTP headers
Patch Information
The vulnerability has been patched in guzzlehttp/psr7 versions 1.8.4 and 2.1.1. The fixes implement proper validation to reject header values containing newline characters. Drupal has also released an update addressing this vulnerability as documented in Drupal Security Advisory SA-CORE-2022-006.
For reference, the specific patches can be found at:
Workarounds
- According to the advisory, there are currently no known workarounds for this vulnerability
- The recommended action is to upgrade to the patched versions immediately
- As a defense-in-depth measure, implement input sanitization that strips or rejects newline characters from any user input that may be used in HTTP headers
# Update guzzlehttp/psr7 to patched version
composer require guzzle/psr7:^1.8.4
# or for 2.x branch
composer require guzzle/psr7:^2.1.1
# Verify installed version
composer show guzzle/psr7
# For Drupal sites, apply core updates
composer update drupal/core drupal/core-recommended --with-dependencies
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
