Search for vulnerabilities
Vulnerability details: VCID-5cvv-ya2a-9uay
Vulnerability ID VCID-5cvv-ya2a-9uay
Aliases CVE-2022-29248
GHSA-cwmx-hcrq-mhc3
Summary Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
Status Published
Exploitability 0.5
Weighted Severity 0.0
Risk None
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-565 Reliance on Cookies without Validation and Integrity Checking
System Score Found at
epss 0.00397 https://api.first.org/data/v1/epss?cve=CVE-2022-29248
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-cwmx-hcrq-mhc3
cvssv3.1 8.0 https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml
cvssv3.1 8.0 https://github.com/guzzle/guzzle
generic_textual HIGH https://github.com/guzzle/guzzle
cvssv3.1 8 https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
cvssv3.1 8.0 https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
generic_textual HIGH https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
ssvc Track https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
cvssv3.1 8 https://github.com/guzzle/guzzle/pull/3018
cvssv3.1 8.0 https://github.com/guzzle/guzzle/pull/3018
generic_textual HIGH https://github.com/guzzle/guzzle/pull/3018
ssvc Track https://github.com/guzzle/guzzle/pull/3018
cvssv3.1 8 https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
cvssv3.1 8.0 https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
cvssv3.1_qr HIGH https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
generic_textual HIGH https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
ssvc Track https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
cvssv2 5.8 https://nvd.nist.gov/vuln/detail/CVE-2022-29248
cvssv3.1 8.0 https://nvd.nist.gov/vuln/detail/CVE-2022-29248
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2022-29248
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-29248
archlinux Unknown https://security.archlinux.org/AVG-2823
cvssv3.1 8 https://www.debian.org/security/2022/dsa-5246
cvssv3.1 8.0 https://www.debian.org/security/2022/dsa-5246
generic_textual HIGH https://www.debian.org/security/2022/dsa-5246
ssvc Track https://www.debian.org/security/2022/dsa-5246
cvssv3.1 8 https://www.drupal.org/sa-core-2022-010
cvssv3.1 8.0 https://www.drupal.org/sa-core-2022-010
generic_textual HIGH https://www.drupal.org/sa-core-2022-010
ssvc Track https://www.drupal.org/sa-core-2022-010
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-29248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44854
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44856
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28202
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28203
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34912
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41765
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41767
https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml
https://github.com/guzzle/guzzle
https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
https://github.com/guzzle/guzzle/pull/3018
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
https://nvd.nist.gov/vuln/detail/CVE-2022-29248
https://www.debian.org/security/2022/dsa-5246
https://www.drupal.org/sa-core-2022-010
1011636 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011636
AVG-2823 https://security.archlinux.org/AVG-2823
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
GHSA-cwmx-hcrq-mhc3 https://github.com/advisories/GHSA-cwmx-hcrq-mhc3
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/guzzle/guzzle
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/ Found at https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/guzzle/guzzle/pull/3018
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/guzzle/guzzle/pull/3018
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/ Found at https://github.com/guzzle/guzzle/pull/3018
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/ Found at https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-29248
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-29248
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-29248
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.debian.org/security/2022/dsa-5246
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.debian.org/security/2022/dsa-5246
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/ Found at https://www.debian.org/security/2022/dsa-5246
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.drupal.org/sa-core-2022-010
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.drupal.org/sa-core-2022-010
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/ Found at https://www.drupal.org/sa-core-2022-010
Exploit Prediction Scoring System (EPSS)
Percentile 0.5963
EPSS Score 0.00397
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T11:52:43.027444+00:00 Arch Linux Importer Import https://security.archlinux.org/AVG-2823 36.1.3