CVE-2026-48998
Undergoing Analysis Undergoing Analysis - In Progress
Host Header Injection in Guzzle PSR-7

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `[email protected]`. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with `GuzzleHttp\Psr7\Message::parseRequest()` or the legacy 1.x `GuzzleHttp\Psr7\parse_request()` function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in `2.10.2`. `1.x` is end-of-life and will not receive a patch. Some workarounds are available. Validate the `Host` header as `uri-host [ ":" port ]` before calling `Message::parseRequest()` or legacy `parse_request()` on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-48998
EUVD
EUVD-2026-36239
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
guzzlehttp psr7 to 2.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48998 is a vulnerability in the guzzlehttp/psr7 PHP library, which implements PSR-7 HTTP message handling. Versions before 2.10.2 improperly validate the Host header when parsing raw HTTP requests or deriving server request URIs. An attacker can send a malformed Host header containing URI authority delimiters like an '@' symbol, causing the library to misinterpret the Host value as containing userinfo and host parts.

This misinterpretation can cause the URI host derived by the library to differ from the original Host header, potentially leading applications to route requests or apply security checks incorrectly. The vulnerability affects applications that parse attacker-controlled raw HTTP requests using vulnerable functions and then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions.

The issue is fixed in version 2.10.2. Workarounds include validating the Host header to ensure it only contains a valid URI host and optional port before parsing or making routing decisions.

Compliance Impact

The vulnerability in guzzlehttp/psr7 involves improper validation of the Host header, which can lead to requests or credentials being sent to unintended hosts. This misrouting or forwarding of requests could potentially expose sensitive data or credentials to unauthorized parties.

Such exposure or misrouting of data may impact compliance with standards and regulations like GDPR or HIPAA, which require protection of personal and sensitive information and mandate secure handling of data to prevent unauthorized access or disclosure.

However, the CVE description and resources do not explicitly mention compliance impacts or specific regulatory consequences.

Impact Analysis

This vulnerability can impact you by causing your application to route requests or select credentials based on a misinterpreted Host header. In scenarios where your application forwards requests or acts as a gateway, this can lead to requests or sensitive credentials being sent to an unintended or malicious host.

Such misrouting can result in information disclosure, unauthorized access, or other security issues because the application trusts the manipulated URI host derived from the malformed Host header.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests for malformed Host headers containing URI authority delimiters such as the '@' symbol, which may indicate exploitation attempts.

Specifically, look for Host header values that include userinfo, path, query, or fragment delimiters that are not normally valid.

Commands to detect such attempts could include using network traffic inspection tools or command-line utilities like grep or tcpdump to filter HTTP requests with suspicious Host headers.

  • Using tcpdump to capture HTTP traffic and filter Host headers containing '@': tcpdump -A -s 0 'tcp port 80' | grep -i 'Host:.*@'
  • Using grep on web server logs to find suspicious Host headers: grep -i 'Host:.*@' /var/log/httpd/access_log
  • Implement application-level logging to detect when Host headers with malformed values are parsed by vulnerable functions like Message::parseRequest() or parse_request().
Mitigation Strategies

The immediate mitigation step is to upgrade the guzzlehttp/psr7 library to version 2.10.2 or later, where this vulnerability is patched.

If upgrading is not immediately possible, implement validation of the Host header before parsing or using it for routing or forwarding decisions.

  • Validate that the Host header matches the pattern of a valid URI host optionally followed by a port, rejecting any Host values containing userinfo, path, query, fragment delimiters, whitespace, or control characters.
  • Reject or sanitize incoming HTTP requests with malformed Host headers before passing them to vulnerable parsing functions like Message::parseRequest() or parse_request().

Note that version 1.x of guzzlehttp/psr7 is end-of-life and will not receive a patch, so migration to 2.10.2 or later is strongly recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart