{"api_version":"1","generated_at":"2026-04-23T09:40:03+00:00","cve":"CVE-2023-29197","urls":{"html":"https://cve.report/CVE-2023-29197","api":"https://cve.report/api/cve/CVE-2023-29197.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-29197","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-29197"},"summary":{"title":"CVE-2023-29197","description":"guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\\n) into both the header names and values. While the specification states that \\r\\n\\r\\n is used to terminate the header list, many servers in the wild will also accept \\n\\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-04-17 22:15:00","updated_at":"2024-01-01 01:15:00"},"problem_types":["CWE-436"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: php-nyholm-psr7-1.6.1-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: php-nyholm-psr7-1.7.0-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw","name":"https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw","refsource":"MISC","tags":[],"title":"Improper header validation in guzzlehttp/psr7 · Advisory · guzzle/psr7 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96","name":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96","refsource":"MISC","tags":[],"title":"Improper Input Validation in guzzlehttp/psr7 · Advisory · guzzle/psr7 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4","name":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4","refsource":"MISC","tags":[],"title":"RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775","name":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775","refsource":"MISC","tags":[],"title":"CVE -\nCVE-2022-24775","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html","name":"https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29197","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29197","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"29197","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"29197","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"29197","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"guzzlephp","cpe5":"psr-7","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-29197","qid":"183595","title":"Debian Security Update for php-guzzlehttp-psr7php-nyholm-psr7 (CVE-2023-29197)"},{"cve":"CVE-2023-29197","qid":"200156","title":"Ubuntu Security Notification for php-nyholm-psr7 Vulnerability (USN-6671-1)"},{"cve":"CVE-2023-29197","qid":"200159","title":"Ubuntu Security Notification for php-guzzlehttp-psr7 Vulnerabilities (USN-6670-1)"},{"cve":"CVE-2023-29197","qid":"283946","title":"Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2023-c29ae4c76f)"},{"cve":"CVE-2023-29197","qid":"284164","title":"Fedora Security Update for Hypertext Preprocessor (PHP) (FEDORA-2023-b0811dc6e4)"},{"cve":"CVE-2023-29197","qid":"691202","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for mediawiki (95dad123-180e-11ee-86ba-080027eda32c)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-29197","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\\n) into both the header names and values. While the specification states that \\r\\n\\r\\n is used to terminate the header list, many servers in the wild will also accept \\n\\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-436: Interpretation Conflict","cweId":"CWE-436"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"guzzle","product":{"product_data":[{"product_name":"psr7","version":{"version_data":[{"version_affected":"=","version_value":"< 1.9.1"},{"version_affected":"=","version_value":">= 2.0.0, < 2.4.5"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw","refsource":"MISC","name":"https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw"},{"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96","refsource":"MISC","name":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775","refsource":"MISC","name":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775"},{"url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4","refsource":"MISC","name":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/"}]},"source":{"advisory":"GHSA-wxmh-65f7-jcvw","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-04-17 22:15:00","lastModifiedDate":"2024-01-01 01:15:00","problem_types":["CWE-436"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.4.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*","versionEndExcluding":"1.9.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}