high
7.2
CWE
79 444
Advisory Published
CVE Published
Updated

CVE-2022-31109: HTTP Host Header Attack Vulnerability in laminas-diactoros

First published: Mon Jul 25 2022(Updated: )

### Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\Diactoros\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-*` headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning. ### Patches Any version after 2.11.0. Starting in laminas/laminas-diactoros 2.11.1, we have added `Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface`, which defines the single method `__invoke(Psr\Http\Message\ServerRequestInterface $request): Psr\Http\Message\ServerRequestInterface`. Filters implementing this interface allow modifying and returning a generated `ServerRequest`. The primary use case of the interface is to allow modifying the generated URI based on the presence of headers such as `X-Forwarded-Host`. When operating behind a reverse proxy, the `Host` header is often rewritten to the name of the node to which the request is being forwarded, and an `X-Forwarded-Host` header is generated with the original `Host` value to allow the server to determine the original host the request was intended for. (We have always examined the `X-Forwarded-Proto` header; as of Diactoros 2.11.1, we also examine the `X-Forwarded-Port` header.) To accommodate this use case, we created Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders. Due to potential security issues, it is generally best to only accept these headers if you trust the reverse proxy that has initiated the request. (This value is found in `$_SERVER['REMOTE_ADDR']`, which is present as `$request->getServerParams()['REMOTE_ADDR']` within PSR-7 implementations.) `FilterUsingXForwardedHeaders` provides named constructors to allow you to trust these headers from any source (which has been the default behavior of Diactoros since the beginning), or to specify specific IP addresses or CIDR subnets to trust, along with which headers are trusted. `Laminas\Diactoros\ServerRequestFactory::fromGlobals()` was updated to accept a `FilterServerRequestInterface` as an additional, optional argument. Since the `X-Forwarded-*` headers do have valid use cases, particularly in clustered environments using a load balancer, to prevent backwards compatibility breaks, if no filter is provided, we generate an instance via `FilterUsingXForwardedHeaders::trustReservedSubnets()`, which generates an instance marked to trust only proxies on private subnets. ### Workarounds Infrastructure or DevOps can configure web servers to reject `X-Forwarded-*` headers at the web server level. Users of laminas/laminas-diactoros can make use of the `Laminas\Diactoros\RequestFilter\RequestFilterInterface` functionality in order to either (a) disable usage of the `X-Forwarded-*` headers entirely, (b) opt-in to it, or (c) opt-in to the usage for configured proxy servers. ### References - [HTTP Host Header Attacks](https://portswigger.net/web-security/host-header) ### For more information If you have any questions or comments about this advisory: - Open an issue in [laminas/laminas-diactoros](https://github.com/laminas/laminas-diactoros/) - [Email us](mailto:security@getlaminas.org)

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
composer/laminas/laminas-diactoros<2.11.1
Getlaminas Laminas-diactoros<2.11.1

Remedy

https://github.com/laminas/laminas-diactoros/commit/25b11d422c2e5dad868f68619888763b30f91e2d

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the impact of CVE-2022-31109?

    Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\Diactoros\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-Host`, `X-Forwarded-Proto`, or `X-Forwarded-Port` headers.

  • What is the severity of CVE-2022-31109?

    The severity of CVE-2022-31109 is high with a CVSS score of 6.1.

  • How can I fix CVE-2022-31109?

    To fix CVE-2022-31109, upgrade to version 2.11.1 of Diactoros or a higher and secure version.

  • Where can I find more information about CVE-2022-31109?

    You can find more information about CVE-2022-31109 at the following references: [GitHub Advisory](https://github.com/advisories/GHSA-8274-h5jp-97vr), [GitHub Security Advisories](https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-8274-h5jp-97vr), [GitHub Commit](https://github.com/laminas/laminas-diactoros/commit/25b11d422c2e5dad868f68619888763b30f91e2d).

  • What are the Common Weakness Enumerations (CWE) associated with CVE-2022-31109?

    The Common Weakness Enumerations (CWE) associated with CVE-2022-31109 are CWE-79 (Cross-Site Scripting) and CWE-444 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203