Patch released for cross-domain cookie leakage flaw in Guzzle

Adam Bannister 27 May 2022 at 14:10 UTC

Drupal rolls out update for issue that is contingent on cookie middleware being enabled

The maintainers of Guzzle, the popular HTTP client for PHP applications, have addressed a high severity vulnerability leading to cross-domain cookie leakage.

Drupal, the open source content management system (CMS), is among the applications that use the third-party library and has released software updates addressing the issue.

The flaw resides in Guzzle’s cookie middleware, which is disabled by default, “so most library consumers will not be affected by this issue”, reads a GitHub security advisory published by a Guzzle maintainer on Wednesday (May 25).

The cookies crumble

Tracked as CVE-2022-29248, the bug centers on a failure to check if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. This would allow “a malicious server to set cookies for unrelated domains”, continues the advisory.

“For example, an attacker at www.example.com might set a session cookie for api.example.net, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.”

Catch up on the latest PHP security news

Guzzle is used to send HTTP requests from PHP programs for various use-cases.

The PSR-7-compatible library, which is approaching 22,000 stars on GitHub, is also used by Adobe’s e-commerce platform, Magento, among other applications, as well as by Laravel, the popular PHP web application framework.

However, only users that “manually add the cookie middleware to the handler stack or construct the client with are affected”, explained the advisory. They must also use the same Guzzle client to call multiple domains and have redirect forwarding enabled to be vulnerable.

Guzzle maintainers have fixed the flaw in versions 6.5.6, 7.4.3, and 7.5.0, and advised users to ensure cookie middleware is disabled unless cookie support is required.

Drupal updates

In a security advisory issued on the same day as its Guzzle counterpart, Drupal said the Guzzle vulnerability “does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites”.

The issue has been patched in Drupal versions 9.3.14 and 9.2.20, with previous Drupal 9 versions no longer supported. Drupal 7 is not affected by the flaw.

Drupal classified the bug as ‘moderately critical’ on its own severity scale, assigning a score of 13 out of 25.

RECOMMENDED Security ‘researcher’ hits back against claims of malicious CTX file uploads