Fix CVE-2022-31090 in Guzzle HIGH
Fix CVE-2022-31090 (CURLOPT_HTTPAUTH credential leak) in Guzzle for PHP. Paste your composer.json into PackageFix and get a patched version back — no CLI, no signup.
⚠ Vulnerability
CVE-2022-31090 — CURLOPT_HTTPAUTH credential leak in Guzzle. Update to ^7.9 or later.
Vulnerable Version — composer.json
"guzzlehttp/guzzle": "^7.0"
Fixed Version — composer.json
"guzzlehttp/guzzle": "^7.9"
✓ Fix
Update to ^7.9 and run composer install to apply the fix.
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
What is CVE-2022-31090?
CVE-2022-31090 is a vulnerability in Guzzle that allows CURLOPT_HTTPAUTH credential leak. Update to version ^7.9 or later to fix it.
Is CVE-2022-31090 on the CISA KEV catalog?
Check the live CISA KEV catalog at packagefix.dev — the catalog updates daily and PackageFix always reflects the current status.
How do I fix CVE-2022-31090 in Guzzle?
Update Guzzle to version ^7.9 or later in your composer.json. Run composer install after updating.
Does CVE-2022-31090 affect all versions of Guzzle?
Check the OSV advisory for the exact affected version range. PackageFix shows the minimum safe version for your installed version.