Executive Summary

CVE-2026-49214 is a CRLF injection vulnerability in the guzzlehttp/psr7 PHP library versions prior to 2.10.2. The library fails to reject ASCII control characters, whitespace, or DEL characters in the host component of URIs when creating PSR-7 HTTP requests. This allows an attacker to inject malicious header lines by including characters like "\r\nX-Injected: yes" in the host part of a URL. When the request is serialized or sent by an HTTP client that does not independently reject such malformed hosts, the injected headers become part of the HTTP request.

This vulnerability affects applications that accept user-controlled URLs for outbound HTTP requests, URL forwarding, proxying, crawling, webhook delivery, or similar flows. The issue can lead to HTTP header injection and potentially enable request smuggling or cache poisoning in environments using HTTP/1.1 connection reuse, proxies, gateways, or load balancers.

The vulnerability is fixed in guzzlehttp/psr7 version 2.10.2 and later. As a workaround, applications should validate and reject any untrusted URI strings containing control characters before constructing PSR-7 Uri or Request instances.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to inject additional HTTP header lines into requests your application sends. This can lead to HTTP header injection, which may be exploited to manipulate how downstream servers or proxies interpret the request.

In environments using HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this vulnerability can contribute to more severe attacks such as request smuggling or cache poisoning. These attacks can disrupt normal traffic flow, cause security bypasses, or lead to unauthorized data exposure.

Applications that use user-controlled URLs for outbound HTTP requests, URL forwarding, proxying, crawling, or webhook delivery are particularly at risk if they do not validate and sanitize input properly.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting outbound HTTP requests constructed using the guzzlehttp/psr7 library for the presence of ASCII control characters, whitespace, or DEL characters in the host component of URIs.

Specifically, look for suspicious host headers containing CRLF sequences or other header-unsafe characters that could cause HTTP header injection, such as "\r\nX-Injected: yes".

On the network, you can capture HTTP traffic and search for multi-line Host headers or unexpected injected headers using tools like tcpdump or Wireshark.

• Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443'
• Use grep or similar tools to search for CRLF sequences or suspicious header injections in captured traffic or logs.
• Within application logs or code, audit any user-controlled URLs used to construct PSR-7 Uri or Request objects for control characters or whitespace in the host component.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the guzzlehttp/psr7 library to version 2.10.2 or later, where the vulnerability is patched.

If upgrading immediately is not possible, validate and reject all untrusted URI strings before constructing PSR-7 Uri or Request instances.

• Reject input containing ASCII control characters, whitespace, or DEL characters, including CRLF, tab, space, NUL, or DEL characters in the host component.
• Ensure that any HTTP client or serializer used rejects invalid URI and header data before sending requests to the network.

Applications that forward requests should carefully sanitize and validate URLs to prevent injection of malicious header lines.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not explicitly address how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0