CVE-2022-31090 Overview
CVE-2022-31090 is an information disclosure vulnerability in Guzzle, an extensible PHP HTTP client library. When using the Curl handler with the CURLOPT_HTTPAUTH option to specify an Authorization header, the library fails to properly remove this sensitive authentication data when following redirects to a URI with a different origin. This flaw allows authorization credentials to be inadvertently sent to unintended third-party servers during cross-origin redirects.
Critical Impact
Authorization headers containing sensitive credentials may be leaked to unauthorized third-party servers when Guzzle follows redirects that involve a change in host, scheme, or port, potentially exposing user credentials and enabling account compromise.
Affected Products
- Guzzle versions prior to 7.4.5
- Guzzle versions prior to 6.5.8
- Debian Linux 11.0
Discovery Timeline
- 2022-06-27 - CVE-2022-31090 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-31090
Vulnerability Analysis
This vulnerability stems from improper handling of sensitive Authorization headers during HTTP redirect processing. When Guzzle's Curl handler is configured with CURLOPT_HTTPAUTH to handle authentication, the library should strip these credentials when following redirects to cross-origin destinations. However, the original implementation only checked for host changes, failing to account for changes in scheme (HTTP to HTTPS or vice versa) or port number. This incomplete validation creates a scenario where authentication credentials persist across origin boundaries, violating the same-origin security principle.
A partial fix was implemented in Guzzle 7.4.2 that addressed host changes, but the vulnerability remained exploitable through scheme and port modifications until the complete fix in version 7.4.5.
Root Cause
The root cause is improper origin comparison in the RedirectMiddleware component. The original code only compared the host portion of URIs when determining whether to strip authentication headers. The CWE classifications (CWE-200: Exposure of Sensitive Information and CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer) accurately describe this failure to properly sanitize sensitive data before transmitting it to potentially untrusted destinations.
Attack Vector
An attacker can exploit this vulnerability by controlling a redirect destination server. The attack scenario involves:
- A victim application uses Guzzle with CURLOPT_HTTPAUTH to authenticate requests
- The attacker causes the target server to return a redirect response to an attacker-controlled server with a different scheme or port (but potentially the same host)
- Guzzle follows the redirect while preserving the Authorization header
- The attacker's server captures the leaked credentials
$this->guardMax($request, $response, $options);
$nextRequest = $this->modifyRequest($request, $options, $response);
- // If authorization is handled by curl, unset it if host is different.
- if ($request->getUri()->getHost() !== $nextRequest->getUri()->getHost()
- && defined('\CURLOPT_HTTPAUTH')
- ) {
+ // If authorization is handled by curl, unset it if URI is cross-origin.
+ if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $nextRequest->getUri()) && defined('\CURLOPT_HTTPAUTH')) {
unset(
$options['curl'][\CURLOPT_HTTPAUTH],
$options['curl'][\CURLOPT_USERPWD]
Source: GitHub Commit 1dd98b0564cb3f6bd16ce683cb755f94c10fbd82
Detection Methods for CVE-2022-31090
Indicators of Compromise
- Unexpected outbound HTTP/HTTPS requests to external servers following initial authenticated requests
- Authorization headers appearing in logs for servers that should not receive credentials
- Anomalous redirect chains in application logs involving scheme or port changes
- Audit logs showing credential usage from unauthorized IP addresses
Detection Strategies
- Monitor network traffic for Authorization headers being sent to unexpected destinations
- Implement logging to track redirect chains and flag cross-origin redirects in authenticated contexts
- Use dependency scanning tools to identify vulnerable Guzzle versions in your PHP applications
- Review web server access logs for patterns indicating credential harvesting attempts
Monitoring Recommendations
- Enable verbose logging for HTTP client libraries in staging environments to trace redirect behavior
- Implement network segmentation alerts for outbound connections carrying authentication data
- Configure intrusion detection systems to flag HTTP redirects that change scheme or port while preserving authentication headers
- Regularly audit PHP dependencies using composer audit or similar tools
How to Mitigate CVE-2022-31090
Immediate Actions Required
- Upgrade Guzzle 7.x installations to version 7.4.5 or later immediately
- Upgrade Guzzle 6.x installations to version 6.5.8 or later
- Audit applications for use of CURLOPT_HTTPAUTH option with redirect-following enabled
- Review logs for potential past exploitation involving cross-origin redirects
Patch Information
The security fix is available in Guzzle versions 7.4.5 and 6.5.8. The patch modifies the RedirectMiddleware.php to use proper cross-origin comparison via Psr7\UriComparator::isCrossOrigin() instead of simple host comparison. This ensures that authentication headers are properly stripped when any origin component (host, scheme, or port) changes during a redirect.
For more information, refer to the GitHub Security Advisory GHSA-25mq-v84q-4j7r and the Debian DSA-5246 Security Notice.
Workarounds
- Disable redirects entirely if your application does not require them by setting allow_redirects to false
- Switch to the Guzzle stream handler backend instead of the Curl handler to avoid the curl-specific authentication handling
- Implement custom redirect middleware that explicitly strips authentication headers on all redirects
- Use explicit per-request authorization headers instead of CURLOPT_HTTPAUTH option
# Update Guzzle via Composer
composer require guzzlehttp/guzzle:^7.4.5
# Verify installed version
composer show guzzlehttp/guzzle
# Run security audit
composer audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
