ubuntu-cve-2026-48998
Vulnerability from osv_ubuntu
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as trusted.example@evil.example. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with GuzzleHttp\Psr7\Message::parseRequest() or the legacy 1.x GuzzleHttp\Psr7\parse_request() function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in 2.10.2. 1.x is end-of-life and will not receive a patch. Some workarounds are available. Validate the Host header as uri-host [ ":" port ] before calling Message::parseRequest() or legacy parse_request() on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "php-guzzlehttp-psr7",
"binary_version": "1.2.2-1ubuntu1"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "php-guzzlehttp-psr7",
"purl": "pkg:deb/ubuntu/php-guzzlehttp-psr7@1.2.2-1ubuntu1?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.1.0-1",
"1.2.0-1",
"1.2.1-1",
"1.2.2-1",
"1.2.2-1build1",
"1.2.2-1ubuntu1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "php-guzzlehttp-psr7",
"binary_version": "1.4.2-0.1+deb10u2build0.20.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "php-guzzlehttp-psr7",
"purl": "pkg:deb/ubuntu/php-guzzlehttp-psr7@1.4.2-0.1+deb10u2build0.20.04.1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.4.2-0.1",
"1.4.2-0.1+deb10u2build0.20.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "php-guzzlehttp-psr7",
"binary_version": "1.8.3-1ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "php-guzzlehttp-psr7",
"purl": "pkg:deb/ubuntu/php-guzzlehttp-psr7@1.8.3-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.0-1",
"1.8.3-1",
"1.8.3-1ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "php-guzzlehttp-psr7",
"binary_version": "2.6.2-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "php-guzzlehttp-psr7",
"purl": "pkg:deb/ubuntu/php-guzzlehttp-psr7@2.6.2-1?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.6.0-1",
"2.6.1-1",
"2.6.2-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "php-guzzlehttp-psr7",
"binary_version": "2.7.1-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "php-guzzlehttp-psr7",
"purl": "pkg:deb/ubuntu/php-guzzlehttp-psr7@2.7.1-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0-3",
"2.7.1-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "php-guzzlehttp-psr7",
"binary_version": "2.8.0-2"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "php-guzzlehttp-psr7",
"purl": "pkg:deb/ubuntu/php-guzzlehttp-psr7@2.8.0-2?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.1-1",
"2.8.0-1",
"2.8.0-2"
]
}
],
"aliases": [],
"details": "guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `trusted.example@evil.example`. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with `GuzzleHttp\\Psr7\\Message::parseRequest()` or the legacy 1.x `GuzzleHttp\\Psr7\\parse_request()` function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in `2.10.2`. `1.x` is end-of-life and will not receive a patch. Some workarounds are available. Validate the `Host` header as `uri-host [ \":\" port ]` before calling `Message::parseRequest()` or legacy `parse_request()` on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.",
"id": "UBUNTU-CVE-2026-48998",
"modified": "2026-06-17T04:30:54Z",
"published": "2026-06-11T13:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-48998"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48998"
},
{
"type": "REPORT",
"url": "https://github.com/guzzle/psr7/security/advisories/GHSA-34xg-wgjx-8xph"
}
],
"related": [],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-48998"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.