CVE-2026-48998
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk23th percentile — higher than 23% of all known CVEs
Summary
The guzzlehttp/psr7 library in versions prior to 2.10.2 contains improper Host header validation, which can lead to incorrect URI processing in HTTP requests. An attacker can provide a malicious Host header, resulting in a discrepancy between the original value and the URI host value.
Risk Assessment
Organizations may be exposed to unintended forwarding of requests or credentials to inappropriate hosts, potentially leading to data leakage or unauthorized access.
Recommendation
It is recommended to validate the Host header as 'uri-host [ ':' port ]' before processing HTTP request data and to reject Host values containing userinfo, path, query, or fragment delimiters.
Original NVD description (English source)
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `[email protected]`. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with `GuzzleHttp\Psr7\Message::parseRequest()` or the legacy 1.x `GuzzleHttp\Psr7\parse_request()` function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in `2.10.2`. `1.x` is end-of-life and will not receive a patch. Some workarounds are available. Validate the `Host` header as `uri-host [ ":" port ]` before calling `Message::parseRequest()` or legacy `parse_request()` on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.

