CVE-2022-29248: Guzzle PHP HTTP Client Cookie Domain Vulnerability

CVE-2022-29248 refers to a security vulnerability found in Guzzle PHP HTTP client versions prior to 6.5.6 and 7.4.3. Guzzle is a widely used PHP library for making HTTP requests and handling responses. This vulnerability specifically affects cookie handling, and may allow an attacker to set cookies for unrelated domains maliciously.

The Vulnerability

The problem lies within Guzzle's Cookie Middleware, which is responsible for managing cookies when making requests. A strict check for matching the cookie domain in the response's Set-Cookie header is missing. This oversight means that a rogue server could potentially set cookies for different domains, increasing the risk of unauthorized access or data leaks.

An important note is that this vulnerability only affects Guzzle installations that have the Cookie Middleware enabled manually. By default, Guzzle does not use this middleware. Additionally, Guzzle clients that do not send requests to multiple domains with cookies enabled are also at a reduced risk.

The vulnerability has been patched in Guzzle versions 6.5.6 and 7.4.3. Updating to these versions will prevent any potential exploits this vulnerability may present.

Here is a simple example of how the Cookie Middleware can be enabled in Guzzle

use GuzzleHttp\Client;
use GuzzleHttp\Cookie\CookieJar;

$jar = new CookieJar();
$client = new Client([
    'cookies' => true
]);

$response = $client->request('GET', 'https://example.com';);

The vulnerable Cookie Middleware can be added to the handler stack like this

use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
use GuzzleHttp\Middleware;
use GuzzleHttp\Cookie\CookieJar;

$stack = HandlerStack::create();
$middleware = Middleware::cookies();
$stack->push($middleware);

$jar = new CookieJar();
$client = new Client([
    'handler' => $stack
]);

$response = $client->request('GET', 'https://example.com';);

The Fix

To fix this vulnerability, simply update your Guzzle installation to versions 6.5.6 or 7.4.3. This can be done using Composer:

composer require guzzlehttp/guzzle:^6.5.6

or

composer require guzzlehttp/guzzle:^7.4.3

Workaround

As a temporary workaround, you can disable cookies in Guzzle by removing or not adding the Cookie Middleware to your client or handler stack. Change the 'cookies' option to false:

use GuzzleHttp\Client;

$client = new Client([
    'cookies' => false
]);

$response = $client->request('GET', 'httpsurl://example.com');

References

* Guzzle HTTP Client Official Documentation
* CVE-2022-29248 on NVD
* GitHub Guzzle Commit Fixing the Vulnerability

Stay vigilant and make sure to keep your software updated to minimize the risk to your applications.

Timeline

Published on: 05/25/2022 18:15:00 UTC
Last modified on: 06/07/2022 18:26:00 UTC