guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 08 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3. | |
| Title | guzzlehttp/psr7: Host Confusion via Weak URI Host Validation | |
| Weaknesses | CWE-436 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T17:00:22.945Z
Reserved: 2026-07-07T16:40:07.982Z
Link: CVE-2026-59882
Updated: 2026-07-08T16:50:29.367Z
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses