Skip to content

fix(deps): update dependency guzzlehttp/guzzle to ~7.14.0 [security]#2222

Open
renovate-bot wants to merge 1 commit into
GoogleCloudPlatform:mainfrom
renovate-bot:renovate/iap-packagist-guzzlehttp-guzzle-vulnerability
Open

fix(deps): update dependency guzzlehttp/guzzle to ~7.14.0 [security]#2222
renovate-bot wants to merge 1 commit into
GoogleCloudPlatform:mainfrom
renovate-bot:renovate/iap-packagist-guzzlehttp-guzzle-vulnerability

Conversation

@renovate-bot

@renovate-bot renovate-bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
guzzlehttp/guzzle (source) ~7.10.0~7.14.0 age confidence

guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext

CVE-2026-55568 / GHSA-wpwq-4j6v-78m3

More information

Details

Impact

The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy — a proxy reached over a TLS-encrypted connection — through the proxy request option, client-level proxy defaults, or proxy environment variables such as http_proxy, https_proxy, HTTPS_PROXY, all_proxy, and ALL_PROXY.

When the installed libcurl does not support HTTPS proxies, behavior depends on the libcurl version/build:

  • libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning.
  • libcurl 7.50.2 through 7.51.x rejects the unsupported proxy scheme at connect time, so no cleartext exposure occurs, but the failure is late and opaque.
  • libcurl 7.52.0 or newer builds without HTTPS-proxy support also fail at connect time rather than downgrading.

The security-relevant case is the silent downgrade on libcurl older than 7.50.2. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2.

In that configuration, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. For plain HTTP requests, request headers and bodies are also exposed on the proxy leg. End-to-end HTTPS requests tunneled through the proxy remain protected by their inner TLS session; the exposure is limited to the proxy negotiation and proxy credentials.

Applications that do not configure an https:// proxy are not affected. Installations running libcurl 7.52.0 or newer built with HTTPS-proxy support are not affected because HTTPS proxies work as intended. Installations running libcurl 7.50.2 through 7.51.x, or libcurl 7.52.0 or newer built without HTTPS-proxy support, are not exposed to the silent cleartext downgrade, but Guzzle now rejects those unsupported configurations up front as well. The built-in stream handler is not affected; the issue is specific to the cURL handlers' proxy handling. Low-level cURL options under the curl request option, such as CURLOPT_PROXY or CURLOPT_PROXYTYPE, are advanced custom configuration and remain the caller's responsibility.

Patches

The issue is patched in 7.12.1 and later. Starting in that release, the built-in cURL handlers detect whether the installed libcurl supports HTTPS proxies — requiring both libcurl 7.52.0 or newer and the CURL_VERSION_HTTPS_PROXY feature bit — and reject a request configured through Guzzle's first-class proxy handling with an https:// proxy up front by throwing a GuzzleHttp\Exception\RequestException. No request bytes reach the network when the proxy cannot be used securely. Versions before 7.12.1 are affected by the silent downgrade when run against libcurl older than 7.50.2.

Workarounds

If you cannot upgrade immediately, do not configure an https:// proxy on an installation whose libcurl lacks HTTPS-proxy support, and verify the capability in application code before using one. Remember to check proxy environment variables as well as any explicit proxy option:

$curl = \curl_version();
$httpsProxyBit = \defined('CURL_VERSION_HTTPS_PROXY') ? \CURL_VERSION_HTTPS_PROXY : (1 << 21);

if (\version_compare($curl['version'], '7.52.0', '<') || 0 === ($curl['features'] & $httpsProxyBit)) {
    throw new \RuntimeException('Installed libcurl does not support HTTPS proxies.');
}

Upgrading the system libcurl to 7.52.0 or newer built with HTTPS-proxy support also resolves the underlying unsupported-proxy behavior.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts

CVE-2026-55767 / GHSA-cwxw-98qj-8qjx

More information

Details

Impact

CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host.

An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. Applications are affected when they use Guzzle's cookie support, for example new Client(['cookies' => true]) or an explicit shared CookieJar, and reuse the same jar across attacker-controlled and trusted origins.

Applications that do not use Guzzle's cookie support, or that use separate cookie jars per origin or trust boundary, are not affected. This issue is distinct from public suffix list validation: dot-only domains contain no domain label and should not match unrelated hosts.

Patches

The issue is patched in 7.12.1 and later. Starting in that release, Guzzle rejects dot-only cookie Domain attributes and prevents an empty normalized cookie domain from matching any request host.

Workarounds

If you cannot upgrade immediately, do not reuse the same CookieJar instance across untrusted and trusted origins. Use separate cookie jars per origin or trust boundary, or disable cookie handling for requests to untrusted hosts.

Avoid using new Client(['cookies' => true]) for clients that may contact unrelated hosts with different trust levels, because that option creates one shared jar for the client.

Severity

  • CVSS Score: 5.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

guzzle/guzzle (guzzlehttp/guzzle)

v7.14.1

Compare Source

Fixed
  • Fail closed when a proxy tunnel isolation cURL option cannot be applied
  • Normalize Stringable proxy credential values before computing connection-reuse section signatures
  • Restore conservative credential redaction for unparseable proxies with multiple @ separators
  • Redact request URI credentials from the stream handler connection error message
  • Reject enabled response streaming (stream => true) on cap-configured stream handlers
  • Distinguish CurlMultiHandler and StreamHandler outcomes in connection-cap custom-handler guidance
  • Reject raw cURL options that conflict with explicit multiplexing guarantees
  • Stop explicit multiplexing conflict checks faulting on non-array cURL multi options values
  • Reject required multiplexing when the final CURLOPT_HTTPAUTH mask permits NTLM
  • Require an integer CURLMOPT_PIPELINING when combined with explicit multiplexing
  • Check the required multiplexing cleartext proxy rule against the final cURL configuration
  • Bound cURL multi handler blocking selects by the earliest pending request delay
  • Stop synchronous cURL multi handler waits blocking on other transfers once the target has settled
  • Stop cURL multi completion processing double-settling promises canceled from completion callbacks
  • Run ready promise queue tasks before sleeping for delayed cURL multi requests
  • Avoid integer overflow in cURL multi delay timing on 32-bit platforms
  • Roll back failed cURL multi handle attachment instead of leaving requests pending
  • Release the cURL easy handle when the on_stats callback throws
  • Normalize response trailer field names to lowercase with values in wire order
  • Retain response trailers only when an on_trailers callback is configured
  • Validate the on_trailers callback before starting a cURL transfer
  • Reject the on_trailers request option on the stream handler, which cannot observe trailers
  • Match cookies, proxy schemes, auth types, and header names with locale-independent ASCII folding
  • Reject proxy option values that Guzzle cannot classify identically to ext-curl

v7.14.0

Compare Source

Added
  • Added the on_trailers request option to expose parsed HTTP response trailers
  • Added the multiplex request option with Multiplexing::* modes to control or require HTTP/2 multiplexing
  • Added rejection of explicit multiplex requests when CURLMOPT_PIPELINING disables multiplexing
  • Added the max_host_connections and max_total_connections client and cURL multi handler options
Changed
  • Redirects that discard the request body no longer require it to be rewindable
  • Synchronous cURL multi handler requests no longer wait for other queued transfers
  • Section SOCKS proxy connections by credentials on libcurl before 7.69.0
  • Reject request-level CURLOPT_SHARE when combined with authenticated SOCKS proxy configuration
  • Redact proxy userinfo containing raw control bytes in cURL errors
  • Check linked curl/libcurl NTLM support before applying NTLM auth
  • Clarify that NTLM is deprecated by both Guzzle and curl/libcurl
  • Remove deprecation for the raw cURL CURLOPT_CERTINFO option
  • Warn when a cURL multi option cannot be applied
Deprecated
  • Deprecate the raw CURLOPT_PIPEWAIT cURL option in favour of the multiplex request option
  • Deprecate unknown handler constructor options
  • Deprecate invalid select_timeout cURL multi handler option values
  • Deprecate raw cURL multi connection cap options in favour of the named options

v7.13.3

Compare Source

Changed
  • Adjusted guzzlehttp/promises version constraint to ^2.5.1
  • Adjusted guzzlehttp/psr7 version constraint to ^2.12.4
  • Pass explicit trim characters ahead of the PHP 8.6 trim default change
Fixed
  • Stop matching cookie domains against hosts with a trailing newline
  • Reject HTTP status codes and certificate type extensions with a trailing newline
  • Treat PCRE engine failures as invalid cookie names during cookie validation
  • Report PCRE engine failures when formatting log messages
  • Report PCRE engine failures when splitting no_proxy values

v7.13.2

Compare Source

Fixed
  • Stop the cURL multi handler busy-waiting on request delays shorter than one second
  • Stop cURL HEAD requests with request bodies hanging on responses that declare a content length
  • The cURL handler no longer transmits request bodies on HEAD requests
  • Preserve response headers when a response includes HTTP trailers
  • Harden cURL response header block detection when HTTP trailers are received
  • Corrected the PSR-7 class names in the Pool iterator exception
  • Redirect body rewind failures no longer leak a bare RuntimeException

v7.13.1

Compare Source

Fixed
  • Allow middleware to rewrite partial URIs before transports validate them

v7.13.0

Compare Source

Added
  • Added the crypto_method_max request option to cap the maximum TLS protocol version
  • Added HTTP QUERY redirect support, preserving method and body on 301 and 302
Changed
  • Section proxy tunnel connection reuse by credential so distinct credentials never share a tunnel
  • Isolate concurrent foreign cURL proxy tunnels added while another owner's tunnel is active
  • Route credentialed HTTP(S) proxy Proxy-Authorization headers through cURL proxy header handling
  • Reject request-level CURLOPT_SHARE when combined with authenticated HTTP/HTTPS proxy tunnel configuration
  • Remove deprecation for raw cURL CURLOPT_PREREQFUNCTION callbacks when defined by PHP cURL
  • Route TLS 1.2 crypto_method requests to the stream handler when cURL cannot select TLS 1.2
  • Reject final request URIs missing a scheme or host before transfer
Deprecated
  • Deprecate invalid protocols, force_ip_resolve, delay, cookies, and allow_redirects values

v7.12.3

Compare Source

Changed
  • Adjusted guzzlehttp/psr7 version constraint to ^2.12.3
Security

v7.12.2

Compare Source

Fixed
  • Clamp out-of-range Max-Age so a very large value no longer overflows to an already-expired timestamp
  • Use strict comparison in CookieJar conflict resolution so distinct numeric-string names don't overwrite
  • Store a cookie whose Domain has a trailing dot on the origin host instead of silently discarding it
  • Fix StreamHandler hard-failing on bracketed IPv6 literal hosts when force_ip_resolve is set
  • Use strict cookie Path comparison so CookieJar::clear() with a numeric path keeps a distinct-path cookie
  • Fixed cookie handling for falsey Domain, Max-Age, path, and name values
  • Fixed decode_content handling for falsey string values
  • Fixed deprecated request option values reaching built-in handlers before normalization

v7.12.1

Compare Source

Changed
  • Adjusted guzzlehttp/psr7 version constraint to ^2.12.1
Fixed
  • Reject proxy URLs with a malformed scheme in the cURL handlers instead of letting libcurl mishandle them
Security

v7.12.0

Compare Source

Added
  • Added RequestOptions constants for curl, retries, and stream_context
Changed
  • Adjusted guzzlehttp/psr7 version constraint to ^2.12
  • Constrain cURL transport sharing to safe libcurl DNS and SSL session support
  • Resolve proxy environment variables in the cURL handlers; libcurl no longer reads the environment itself
  • Ignore proxy environment variables when the proxy request option makes a decision
  • Disable proxy environment variables on Windows SAPIs other than CLI (httpoxy hardening)
  • Redact proxy credentials from cURL handler error messages, following Psr7\Utils::redactUserInfo()
  • Normalize no-proxy domain and IP literal matching across the cURL and stream handlers
Deprecated
  • Deprecated the request-level handler option, which will be ignored in 8.0
  • Deprecated raw cURL request options outside the built-in cURL handlers' allow-list
  • Deprecated the CURLOPT_PROXYTYPE cURL request option; set the proxy type via a scheme-prefixed proxy URL
  • Deprecated PHP stream context options outside the built-in stream handler allow-list
  • Deprecated passing ntlm as a built-in auth type
  • Deprecated Utils::describeType()
  • Deprecated non-finite floats in the query and form_params options; 8.0 rejects them
  • Deprecated non-string scalar values in the body option; 8.0 rejects them
Fixed
  • Fix cURL TLS and HTTP/2 capability detection using libcurl feature checks
  • Fix proxy no list matches being re-proxied through environment-configured proxies by libcurl
  • Fix no list and NO_PROXY matching to support IP CIDR ranges, matching libcurl
  • Fix the stream handler not applying scheme-less proxies and their credentials

v7.11.2

Compare Source

Fixed
  • Fixed non-finite float values emitting coercion warnings on PHP 8.5

v7.11.1

Compare Source

Fixed
  • Ignore request-level transport_sharing, matching other unknown request options

v7.11.0

Compare Source

Added
  • Added support for providing the proxy request option's no value as a comma-delimited string
  • Added the protocols request option to restrict allowed URI schemes for request transfers
  • Added cert_type and ssl_key_type request options for TLS certificate and private-key file types
  • Added PHP stream handler support for the ssl_key request option
  • Added transport sharing via the transport_sharing client and cURL handler options
Changed
  • Adjusted guzzlehttp/promises version constraint to ^2.5
  • Adjusted guzzlehttp/psr7 version constraint to ^2.11
  • Allowed domainless SetCookie instances to be stored without wildcard request matching
  • Changed no-proxy matching to respect request ports for host-and-port rules
  • Prevented CurlMultiHandler destructors from throwing during cleanup
  • Improved invalid response handling across handlers
Deprecated
  • Deprecated non-iterable Pool request collections, which will be rejected in 8.0
  • Deprecated non-uppercase easy request methods; 8.0 preserves method casing
  • Deprecated non-string headers request option values, which will be rejected in 8.0
  • Deprecated empty headers request option value arrays, which will be rejected in 8.0
  • Deprecated empty and malformed request protocol versions, which will be rejected in 8.0
  • Deprecated conflicting raw cURL request options, including CURLOPT_SHARE, which will be rejected in 8.0
  • Deprecated scalar-coerced idn_conversion request option values, which will be rejected in 8.0
  • Deprecated invalid documented request option value types, which will be rejected in 8.0
  • Deprecated selected request options ignored by incompatible built-in handlers, which will be rejected in 8.0
  • Deprecated RequestException::wrapException(), which will be removed in 8.0
  • Deprecated RetryMiddleware::exponentialDelay(), which will be removed in 8.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested review from a team as code owners June 23, 2026 17:03
@product-auto-label product-auto-label Bot added the samples Issues that are directly related to samples. label Jun 23, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the guzzlehttp/guzzle dependency version from ~7.10.0 to ~7.12.1 in iap/composer.json. There are no review comments, and I have no feedback to provide.

@renovate-bot renovate-bot changed the title fix(deps): update dependency guzzlehttp/guzzle to ~7.12.1 [security] fix(deps): update dependency guzzlehttp/guzzle to ~7.14.0 [security] Jul 10, 2026
@renovate-bot renovate-bot force-pushed the renovate/iap-packagist-guzzlehttp-guzzle-vulnerability branch from a128096 to 470a63b Compare July 10, 2026 08:30
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 10, 2026
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 10, 2026
@renovate-bot renovate-bot force-pushed the renovate/iap-packagist-guzzlehttp-guzzle-vulnerability branch from 470a63b to f09516a Compare July 10, 2026 19:49
@renovate-bot renovate-bot changed the title fix(deps): update dependency guzzlehttp/guzzle to ~7.14.0 [security] fix(deps): update dependency guzzlehttp/guzzle to ~7.12.1 [security] Jul 10, 2026
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 10, 2026
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 10, 2026
@renovate-bot renovate-bot changed the title fix(deps): update dependency guzzlehttp/guzzle to ~7.12.1 [security] fix(deps): update dependency guzzlehttp/guzzle to ~7.14.0 [security] Jul 12, 2026
@renovate-bot renovate-bot force-pushed the renovate/iap-packagist-guzzlehttp-guzzle-vulnerability branch from f09516a to 4f5b843 Compare July 12, 2026 14:55
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 12, 2026
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 12, 2026
@renovate-bot renovate-bot changed the title fix(deps): update dependency guzzlehttp/guzzle to ~7.14.0 [security] fix(deps): update dependency guzzlehttp/guzzle to ~7.12.1 [security] Jul 12, 2026
@renovate-bot renovate-bot force-pushed the renovate/iap-packagist-guzzlehttp-guzzle-vulnerability branch from 4f5b843 to 84d7fe9 Compare July 12, 2026 21:14
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 12, 2026
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 12, 2026
@renovate-bot renovate-bot changed the title fix(deps): update dependency guzzlehttp/guzzle to ~7.12.1 [security] fix(deps): update dependency guzzlehttp/guzzle to ~7.14.0 [security] Jul 13, 2026
@renovate-bot renovate-bot force-pushed the renovate/iap-packagist-guzzlehttp-guzzle-vulnerability branch from 84d7fe9 to ef86ed2 Compare July 13, 2026 04:20
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 13, 2026
@kokoro-team kokoro-team removed kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

samples Issues that are directly related to samples.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants