CVE-2022-31042 Overview
CVE-2022-31042 is an Information Disclosure vulnerability in Guzzle, an open source PHP HTTP client. The vulnerability exists in how Guzzle handles Cookie headers during HTTP redirects. When a request using the https scheme receives a redirect response to a URI with the http scheme, or when redirected to a different host, the Cookie header should be stripped to prevent sensitive information leakage. Prior to the fix, only cookies managed by Guzzle's cookie middleware were safely removed, while any Cookie header manually added to the initial request remained attached during the redirect, potentially exposing sensitive session data to unintended recipients.
Critical Impact
Sensitive cookie data including session tokens and authentication credentials may be inadvertently exposed to malicious servers during cross-origin or protocol-downgrade redirects.
Affected Products
- Guzzle PHP HTTP Client (versions prior to 6.5.7 and 7.4.4)
- Drupal Core (versions 9.2.x, 9.3.x, and 9.4.x pre-release)
- Debian Linux 11.0
Discovery Timeline
- 2022-06-10 - CVE-2022-31042 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-31042
Vulnerability Analysis
This vulnerability represents an improper handling of sensitive information during HTTP redirect operations. The Guzzle HTTP client library includes built-in redirect middleware that automatically follows HTTP redirects (3xx status codes). According to RFC 9110 Section on Redirection, clients should exercise caution when forwarding credentials across different origins or when downgrading from secure to insecure protocols.
The flaw stems from an inconsistency in how different types of cookies were handled during redirects. While cookies managed through Guzzle's cookie middleware were properly evaluated and stripped when appropriate, manually-added Cookie headers bypassed this security check entirely. This created a scenario where developers who added cookies directly to request headers—a common practice for custom authentication flows—unknowingly exposed those cookies to any server in the redirect chain.
Root Cause
The root cause is a failure to uniformly sanitize all Cookie headers during redirect processing in the RedirectMiddleware component. The middleware implementation only considered cookies managed by the internal cookie jar, overlooking the possibility of manually-appended Cookie headers on the initial request. This oversight violates the principle of least privilege for credential transmission across domain boundaries.
Attack Vector
An attacker can exploit this vulnerability through a man-in-the-middle position or by controlling a server that legitimately receives requests from a Guzzle-based application. The attack scenario involves:
- The victim application makes an HTTPS request with sensitive cookies to an attacker-controlled or compromised server
- The malicious server responds with a redirect to an HTTP endpoint or a different host under attacker control
- Guzzle automatically follows the redirect, inadvertently forwarding the manually-added Cookie header
- The attacker captures the sensitive cookie data, which may include session tokens or API credentials
The fix ensures that all Cookie headers are stripped unconditionally during redirects, with the cookie middleware re-evaluating and re-adding only those cookies appropriate for the new destination.
}
/**
- * Check for too many redirects
+ * Check for too many redirects.
*
* @throws TooManyRedirectsException Too many redirects.
*/
Source: GitHub Commit e3ff079b22820c2029d4c2a87796b6a0b8716ad8
Detection Methods for CVE-2022-31042
Indicators of Compromise
- Unexpected HTTP traffic to external or untrusted domains following initial API requests
- Log entries showing redirect chains that cross domain boundaries or downgrade from HTTPS to HTTP
- Session hijacking or unauthorized account access following application interactions with external services
- Cookie values appearing in access logs of unintended third-party servers
Detection Strategies
- Review application dependencies and verify Guzzle versions using composer show guzzlehttp/guzzle
- Audit application code for manual Cookie header additions to Guzzle requests
- Monitor network traffic for redirect responses that cross domain boundaries or protocol downgrades
- Implement logging for all outbound HTTP requests to detect unexpected cookie transmission patterns
Monitoring Recommendations
- Enable verbose logging for HTTP client operations in development and staging environments
- Configure web application firewalls to alert on sensitive cookie transmission to non-whitelisted domains
- Implement runtime application self-protection (RASP) solutions to monitor cookie handling behavior
- Regularly scan dependencies for known vulnerabilities using tools like Composer Audit or Snyk
How to Mitigate CVE-2022-31042
Immediate Actions Required
- Upgrade Guzzle to version 7.4.4 or later for Guzzle 7.x users
- Upgrade Guzzle to version 6.5.7 or later for users on the 6.x series
- Review and update Drupal Core installations to patched versions as per the Drupal Core Security Advisory SA-CORE-2022-011
- Audit all Guzzle client configurations for manual Cookie header usage
Patch Information
The vulnerability has been addressed in Guzzle versions 6.5.7 and 7.4.4. The fix modifies the RedirectMiddleware to unconditionally strip all Cookie headers before following redirects, then allows the cookie middleware to re-add appropriate cookies for the new destination. The patch is available in the GitHub commit e3ff079b22820c2029d4c2a87796b6a0b8716ad8. Debian users should apply updates from DSA-5246. Additional technical details are available in the GitHub Security Advisory GHSA-f2wf-25xc-69c9.
Workarounds
- Disable automatic redirect following by setting allow_redirects to false in Guzzle client configuration
- Implement custom redirect middleware that properly sanitizes sensitive headers before following redirects
- Use Guzzle's cookie jar middleware exclusively instead of manually adding Cookie headers
- Configure application firewalls to block outbound requests that would result in protocol downgrades
# Upgrade Guzzle via Composer
composer require guzzlehttp/guzzle:^7.4.4
# Or for Guzzle 6.x users
composer require guzzlehttp/guzzle:^6.5.7
# Verify installed version
composer show guzzlehttp/guzzle | grep versions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
