CVE-2022-29248 HIGH

CVE-2022-29248: Cross-domain cookie leakage in Guzzle

Vendor Guzzle
Product guzzle
Weakness CWE-200 · Info exposure
Published May 25, 2022
Last update April 23, 2025
View on NVD All CVEs

CVSS base score

8.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

Key dates

02Disclosure timeline

May 25, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-41960 CVE-2024-13600 Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin <= 1.0.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory CVE-2025-9808 The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure CVE-2019-11282 UAA is vulnerable to a Blind SCIM injection leading to information disclosure CVE-2021-31371 Junos OS: QFX5000 Series: Traffic from the network internal to the device (128.0.0.0) may be forwarded to egress interfaces.