CVE-2026-59883
Received Received - Intake

Cookie Exposure in Guzzle HTTP Client

Vulnerability report for CVE-2026-59883, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing cross-host cookie disclosure, cookie injection, or session fixation. This issue is fixed in version 7.12.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
guzzle guzzle to 7.12.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59883 is a security vulnerability in the Guzzle PHP HTTP client library prior to version 7.12.3. The issue arises because the CookieJar component did not properly restrict cookies scoped to IP addresses or bare numeric domain values to the exact host that set them. Instead, it applied ordinary suffix matching to such domains (e.g., 192.168.0.1, [::1], or 1), which allowed cookies to be sent to other hosts with similar numeric patterns.

This improper handling violates RFC 6265, which requires that cookies scoped to IP addresses or numeric hosts must match exactly the host that set them. Because of this, an attacker could exploit the vulnerability by causing cross-host cookie disclosure, cookie injection, or session fixation attacks.

Impact Analysis

This vulnerability can lead to several security impacts including cross-host cookie disclosure, where cookies intended for one host could be accessed by another host with a similar numeric domain. It also enables cookie injection, allowing an attacker to insert malicious cookies, and session fixation, where an attacker can fixate a user's session by controlling cookies.

Such impacts can compromise user privacy and security by exposing sensitive session information or enabling unauthorized access to user sessions.

Detection Guidance

This vulnerability involves improper handling of cookies scoped to IP addresses or numeric domains in the Guzzle HTTP client library prior to version 7.12.3. Detection would involve identifying if your system or network is using a vulnerable version of Guzzle and if cookies scoped to IP addresses or bare numeric domains are being used or transmitted improperly.

Since the issue is related to cookie domain matching, you can monitor HTTP traffic for cookies with IP address or numeric domain attributes that are being sent to hosts other than the exact IP address that set them.

Suggested commands to detect this behavior could include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP cookie headers and inspect their domain attributes.

  • Use tcpdump to capture HTTP traffic and filter for cookie headers: tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Cookie'
  • Use Wireshark to filter HTTP traffic with the display filter: http.cookie
  • Inspect captured cookies for domain attributes that are IP addresses or numeric values and verify if they are sent to hosts other than the exact IP address.

Additionally, check the version of Guzzle used in your applications by inspecting your dependency manager (e.g., composer) to see if it is older than 7.12.3.

Mitigation Strategies

The primary and recommended mitigation for this vulnerability is to upgrade the Guzzle HTTP client library to version 7.12.3 or later, where the issue is fixed.

Other mitigation steps include:

  • Avoid scoping cookies to IP addresses or bare numeric domains.
  • Use separate cookie jars per host or trust boundary to prevent cross-host cookie leakage.

These steps help prevent cross-host cookie disclosure, cookie injection, or session fixation attacks that could arise from the vulnerability.

Compliance Impact

The vulnerability in Guzzle's CookieJar component allows cross-host cookie disclosure, cookie injection, or session fixation by improperly handling cookies scoped to IP addresses or numeric domains. This can lead to unintended exposure of sensitive session or user information across hosts.

Such information exposure and session fixation issues can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on personal data confidentiality and session security.

By allowing cookies to be sent to unintended hosts, the vulnerability increases the risk of unauthorized access or data leakage, which could result in violations of these regulations.

Mitigations include upgrading to Guzzle version 7.12.3 or later, which enforces exact matching for IP and numeric cookie domains, thereby reducing the risk of cross-host cookie leakage and improving compliance posture.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59883. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart