All Guzzle HTTP CVEs — Complete Vulnerability History
Guzzle is PHP's most popular HTTP client — used by Laravel, Symfony, AWS SDK, and hundreds of other packages. CVEs here affect any application making HTTP requests through Guzzle.
PHP
50M+ weekly downloads
4 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2016-5385 | 2016 | HIGH | HTTP_PROXY environment variable injection | Fixed 6.2.1 |
| CVE-2022-29248 | 2022 | HIGH | Cookie header not cleared on redirect to different domain | Fixed 7.4.5 |
| CVE-2022-31090 | 2022 | HIGH | CURLOPT_HTTPAUTH credential leak on host change | Fixed 7.4.5 |
| CVE-2022-31091 | 2022 | HIGH | CURLOPT_HTTPAUTH header exposure on redirect | Fixed 7.4.5 |
Current safe version: ^7.9
# Before
"guzzlehttp/guzzle": "^7.0"
# After
"guzzlehttp/guzzle": "^7.9"
Then run: composer install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Why does Guzzle have credential exposure CVEs?
HTTP clients that follow redirects must decide what to do with authentication headers when the redirect goes to a different host. Guzzle historically was too permissive, sending auth headers across host boundaries. The fixes add strict host checking before forwarding credentials.
Do Laravel and Symfony use Guzzle?
Yes — Laravel's HTTP client wraps Guzzle, and many Symfony packages use it. Updating the underlying guzzlehttp/guzzle package directly is the safest approach.