{"url":"http://public2.vulnerablecode.io/api/packages/291054?format=json","purl":"pkg:composer/guzzlehttp/psr7@1.5.1","type":"composer","namespace":"guzzlehttp","name":"psr7","version":"1.5.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.9.1","latest_non_vulnerable_version":"2.4.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17289?format=json","vulnerability_id":"VCID-4tr3-8z2d-5fh6","summary":"Interpretation Conflict\nguzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\\n) into both the header names and values. While the specification states that \\r\\n\\r\\n is used to terminate the header list, many servers in the wild will also accept \\n\\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29197","reference_id":"","reference_type":"","scores":[{"value":"0.02291","scoring_system":"epss","scoring_elements":"0.84675","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02291","scoring_system":"epss","scoring_elements":"0.84711","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02291","scoring_system":"epss","scoring_elements":"0.84718","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02291","scoring_system":"epss","scoring_elements":"0.84722","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02291","scoring_system":"epss","scoring_elements":"0.84704","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02291","scoring_system":"epss","scoring_elements":"0.84653","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02291","scoring_system":"epss","scoring_elements":"0.84673","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02291","scoring_system":"epss","scoring_elements":"0.84697","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29197"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29197","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29197"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml"},{"reference_url":"https://github.com/guzzle/psr7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/guzzle/psr7"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/"},{"reference_url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034581","reference_id":"1034581","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034581"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034597","reference_id":"1034597","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034597"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29197","reference_id":"CVE-2023-29197","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29197"},{"reference_url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://github.com/advisories/GHSA-wxmh-65f7-jcvw","reference_id":"GHSA-wxmh-65f7-jcvw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wxmh-65f7-jcvw"},{"reference_url":"https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw","reference_id":"GHSA-wxmh-65f7-jcvw","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw"},{"reference_url":"https://usn.ubuntu.com/6670-1/","reference_id":"USN-6670-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6670-1/"},{"reference_url":"https://usn.ubuntu.com/6671-1/","reference_id":"USN-6671-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6671-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57143?format=json","purl":"pkg:composer/guzzlehttp/psr7@1.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/guzzlehttp/psr7@1.9.1"},{"url":"http://public2.vulnerablecode.io/api/packages/57144?format=json","purl":"pkg:composer/guzzlehttp/psr7@2.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/guzzlehttp/psr7@2.4.5"}],"aliases":["CVE-2023-29197","GHSA-wxmh-65f7-jcvw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4tr3-8z2d-5fh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13472?format=json","vulnerability_id":"VCID-wbuz-qcp3-43aq","summary":"Improper Input Validation\nguzzlehttp/psr7 is a PSR-7 HTTP message library used in drupal. Versions prior to 1.8.4 and 2.1.1 is vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24775","reference_id":"","reference_type":"","scores":[{"value":"0.00933","scoring_system":"epss","scoring_elements":"0.76084","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00933","scoring_system":"epss","scoring_elements":"0.7614","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00933","scoring_system":"epss","scoring_elements":"0.76143","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00933","scoring_system":"epss","scoring_elements":"0.76167","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00933","scoring_system":"epss","scoring_elements":"0.76142","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00933","scoring_system":"epss","scoring_elements":"0.76128","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00933","scoring_system":"epss","scoring_elements":"0.76095","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00933","scoring_system":"epss","scoring_elements":"0.76116","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24775"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml"},{"reference_url":"https://github.com/guzzle/psr7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/guzzle/psr7"},{"reference_url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1"},{"reference_url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc"},{"reference_url":"https://www.drupal.org/sa-core-2022-006","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://www.drupal.org/sa-core-2022-006"},{"reference_url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236","reference_id":"1008236","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775","reference_id":"CVE-2022-24775","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775"},{"reference_url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://usn.ubuntu.com/6670-1/","reference_id":"USN-6670-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6670-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48184?format=json","purl":"pkg:composer/guzzlehttp/psr7@1.8.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4tr3-8z2d-5fh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/guzzlehttp/psr7@1.8.4"},{"url":"http://public2.vulnerablecode.io/api/packages/48186?format=json","purl":"pkg:composer/guzzlehttp/psr7@2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4tr3-8z2d-5fh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/guzzlehttp/psr7@2.1.1"}],"aliases":["CVE-2022-24775","GHSA-q7rv-6hp3-vh96"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wbuz-qcp3-43aq"}],"fixing_vulnerabilities":[],"risk_score":"3.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/guzzlehttp/psr7@1.5.1"}