GMS-2023-1163: Improper header validation in httpsoft/http-message

April 21, 2023

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.0.12.

Workarounds

There are no known workarounds.

References

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

References

github.com/advisories/GHSA-9jxr-mwpp-w643
github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
github.com/httpsoft/http-message/security/advisories/GHSA-9jxr-mwpp-w643
nvd.nist.gov/vuln/detail/CVE-2023-29197

Code Behaviors & Features

Detect and mitigate GMS-2023-1163 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →