SCA: security update for guzzlehttp/psr7 (GHSA-hq7v-mx3g-29hw)

medium Tenable Self-Hosted Container Security Plugin ID 443078

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not
reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow
is: First, an application accepts a user-controlled URL. Second, the URL is used to construct a PSR-7
`Uri` or `Request`. Third, the host component contains CRLF or another header-unsafe character. Fourth,
the host is copied into the PSR-7 `Host` header when no explicit `Host` header is provided. Finally, the
request is serialized or sent by an HTTP client that does not independently reject the malformed host. In
that flow, an attacker can cause the serialized request to contain additional attacker-controlled header
lines. For example, a host containing `"\r\nX-Injected: yes"` can cause the generated `Host` header to
span multiple HTTP header lines. Applications are affected when they use user-controlled URLs for outbound
HTTP requests, URL forwarding, proxying, crawling, webhook delivery, or similar request-dispatch flows. In
deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed
request may also contribute to request smuggling or cache poisoning, depending on how downstream
components parse the request. The issue is patched in `2.10.2` and later. `1.x` is end-of-life and will
not receive a patch. As a workaround, validate and reject all untrusted URI strings before constructing
PSR-7 `Uri` or `Request` instances. Reject input containing ASCII control characters, whitespace, or DEL,
including CRLF, tab, space, NUL, or DEL characters. Applications that forward requests should also ensure
the final HTTP client or serializer rejects invalid URI and header data before writing requests to the
network. (CVE-2026-49214)

Solution

Update the guzzlehttp/psr7 library and its related packages to version 2.10.2 or later.

See Also

https://github.com/advisories/GHSA-hq7v-mx3g-29hw

Plugin Details

Severity: Medium

ID: 443078

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 6/11/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-49214

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/11/2026

Vulnerability Publication Date: 6/11/2026

Reference Information

CVE: CVE-2026-49214