GHSA-8jp9-mpv9-98rj: amphp/http-client Header leakage on cross-domain redirects

May 15, 2024

amphp/http-client has a security weakness that might leak sensitive request headers from the initial request to the redirected host on cross-domain redirects, which were not removed correctly. Message::setHeaders does not replace the entire set of headers, but only operates on the headers matching the given array keys.

References

github.com/FriendsOfPHP/security-advisories/blob/master/amphp/http-client/2020-06-16.yaml
github.com/advisories/GHSA-8jp9-mpv9-98rj
github.com/amphp/http-client
github.com/amphp/http-client/commit/fa7925363e6d5a0d0d337e2e6eb1affb93cf226e
github.com/amphp/http-client/releases/tag/v4.4.0

Code Behaviors & Features

Detect and mitigate GHSA-8jp9-mpv9-98rj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →