CVE-2026-55766
Received Received - Intake
CR/LF Injection in guzzlehttp/psr7

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x, for example with Message::toString() or an equivalent serializer, the serialized message could contain attacker-controlled header lines. The issue can also be reached through Message::parseRequest() or Message::parseResponse() when malformed raw messages are parsed into first-party PSR-7 objects and then serialized again. Creating or modifying a Request, Response, or other PSR-7 object alone is not sufficient. The issue requires the malformed message to be serialized and written to the network, forwarded, replayed, or otherwise processed by software that does not independently reject the malformed start line. This vulnerability is fixed in 2.12.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-55766
EUVD
EUVD-2026-38458
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
guzzlehttp psr7 to 2.12.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55766 is a CRLF injection vulnerability in the guzzlehttp/psr7 PHP library versions prior to 2.12.1. The library did not reject carriage return (CR) and line feed (LF) characters in certain HTTP start-line fields such as the request method, protocol version, and response reason phrase.

If attacker-controlled data is placed into these fields and the message is serialized as raw HTTP/1.x, it can result in attacker-controlled header lines being injected. This can happen when malformed raw messages are parsed and then serialized again.

The vulnerability requires the malformed message to be serialized and sent over the network or otherwise processed by software that does not reject the malformed start line. Simply creating or modifying a PSR-7 object is not enough to trigger the issue.

This vulnerability was fixed in version 2.12.1 by rejecting CR/LF characters in these fields before storing them.

Compliance Impact

This vulnerability allows attacker-controlled CR/LF characters to be injected into HTTP start-line fields, potentially leading to header injection, response splitting, request smuggling, or cache poisoning. Such attacks can compromise the integrity and confidentiality of HTTP communications.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable injection and manipulation of HTTP headers can increase the risk of data breaches or unauthorized data exposure, which may impact compliance with these regulations.

Therefore, organizations using affected versions of guzzlehttp/psr7 should apply the patch or implement mitigations to reduce the risk of non-compliance due to potential data integrity or confidentiality issues arising from this vulnerability.

Impact Analysis

This vulnerability can lead to several security issues such as HTTP header injection, response splitting, request smuggling, or cache poisoning.

If an attacker can inject CR/LF characters into HTTP start-line fields, they can manipulate HTTP headers or responses, potentially allowing them to bypass security controls, poison caches, or interfere with the normal operation of HTTP-based applications.

The vulnerability affects applications that manually serialize PSR-7 messages, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, testing, or similar code.

The CVSS score for this vulnerability is 4.8 (Moderate), indicating a moderate impact.

Detection Guidance

This vulnerability can be detected by inspecting HTTP start-line fields such as the request method, protocol version, and response reason phrase for the presence of carriage return (CR) and line feed (LF) characters that should not be there.

Since the issue involves serialized raw HTTP/1.x messages containing attacker-controlled header lines, you can monitor network traffic for suspicious or malformed HTTP start lines that include CR/LF injection.

Commands to detect such anomalies might include using network packet capture and analysis tools like tcpdump or Wireshark to filter HTTP traffic and look for unexpected CR/LF characters in start lines.

  • Use tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 8080'
  • Use grep or similar tools to search for CR/LF characters in captured HTTP messages, for example: grep -P '\r|\n' captured_http_traffic.txt

Additionally, review application logs or serialized PSR-7 messages for unexpected header injections or malformed start lines.

Mitigation Strategies

The primary mitigation is to upgrade the guzzlehttp/psr7 library to version 2.12.1 or later, where the vulnerability is fixed by rejecting CR/LF characters in HTTP start-line fields.

As a workaround before upgrading, validate any untrusted input used in the request method, protocol version, and reason phrase fields to ensure they do not contain CR or LF characters.

Applications that parse, forward, or serialize raw HTTP messages should validate the raw start line before parsing or avoid reparsing untrusted raw messages to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart