SB2026061852 - CRLF injection in PSR-7

Description

This security bulletin contains information about 1 vulnerability.

1) CRLF injection (CVE-ID: CVE-2026-55766)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to inject arbitrary HTTP header lines.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP start-line fields when serializing PSR-7 messages as raw HTTP/1.x. A remote attacker can supply crafted method, protocol version, or reason phrase values to inject arbitrary HTTP header lines.

Exploitation requires attacker-controlled data to be placed into the request method, protocol version, or response reason phrase and for the malformed message to be serialized and processed by downstream software that does not independently reject the malformed start line.

Remediation

Install update from vendor's website.

References

• https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432
• https://www.rfc-editor.org/rfc/rfc9112.html#section-11.1