CVE-2023-29530
HIGHLaminas Diactoros < 2.18.1 - Denial of Service via Newline in HTTP Header
Title source: llmDescription
Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/
Vendor Advisory x_refsource_confirm
https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36
Not Applicable x_refsource_misc
https://github.com/advisories/GHSA-wxmh-65f7-jcvw
Scores
CVSS v3
7.5
EPSS
0.0067
EPSS Percentile
71.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (11)
fedoraproject/fedora
38
getlaminas/laminas-diactoros
2.19.0
getlaminas/laminas-diactoros
2.20.0
getlaminas/laminas-diactoros
2.21.0
getlaminas/laminas-diactoros
2.22.0
getlaminas/laminas-diactoros
2.23.0
getlaminas/laminas-diactoros
2.24.0
getlaminas/laminas-diactoros
2.25.0
getlaminas/laminas-diactoros
< 2.18.1
guzzlephp/psr-7
< 1.9.1
... and 1 more
Published
Apr 24, 2023
Tracked Since
Feb 18, 2026