VulnerableCode Package Details - pkg:composer/guzzlehttp/guzzle@7.4.5

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5z4a-3hkq-fua9	Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.	CVE-2022-31090 GHSA-25mq-v84q-4j7r GMS-2022-2528
VCID-a9hb-4h2v-17bk	Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.	CVE-2022-31091 GHSA-q559-8m2m-g699 GMS-2022-2529

Vulnerability

Summary

Aliases

VCID-5z4a-3hkq-fua9

Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.

CVE-2022-31090
GHSA-25mq-v84q-4j7r
GMS-2022-2528

VCID-a9hb-4h2v-17bk

Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

CVE-2022-31091
GHSA-q559-8m2m-g699
GMS-2022-2529

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-04T13:56:03.764467+00:00	GitLab Importer	Fixing	VCID-5z4a-3hkq-fua9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/guzzlehttp/guzzle/CVE-2022-31090.yml	37.0.0
2025-07-04T13:56:03.571741+00:00	GitLab Importer	Fixing	VCID-a9hb-4h2v-17bk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/guzzlehttp/guzzle/CVE-2022-31091.yml	37.0.0
2025-07-04T13:56:01.485803+00:00	GitLab Importer	Fixing	VCID-a9hb-4h2v-17bk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/guzzlehttp/guzzle/GMS-2022-2529.yml	37.0.0
2025-07-04T13:56:01.310625+00:00	GitLab Importer	Fixing	VCID-5z4a-3hkq-fua9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/guzzlehttp/guzzle/GMS-2022-2528.yml	37.0.0
2025-07-01T14:33:09.689819+00:00	GHSA Importer	Fixing	VCID-a9hb-4h2v-17bk	https://github.com/advisories/GHSA-q559-8m2m-g699	36.1.3
2025-07-01T14:33:09.602752+00:00	GHSA Importer	Fixing	VCID-5z4a-3hkq-fua9	https://github.com/advisories/GHSA-25mq-v84q-4j7r	36.1.3
2025-07-01T12:25:43.686187+00:00	GithubOSV Importer	Fixing	VCID-5z4a-3hkq-fua9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-25mq-v84q-4j7r/GHSA-25mq-v84q-4j7r.json	36.1.3
2025-07-01T12:25:39.644919+00:00	GithubOSV Importer	Fixing	VCID-a9hb-4h2v-17bk	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-q559-8m2m-g699/GHSA-q559-8m2m-g699.json	36.1.3