CVE-2022-31109: 
PHP vulnerability analysis and mitigation

Applications that use Laminas Diactoros, and are either not behind a proxy or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. This vulnerability (CVE-2022-31109) affects versions <=2.11.0 and was patched in version 2.11.1. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning (GitHub Advisory).

The vulnerability exists because the application implicitly trusts the X-Forwarded-* headers without proper validation. When operating behind a reverse proxy, the Host header is often rewritten to the name of the node to which the request is being forwarded, and an X-Forwarded-Host header is generated with the original Host value. The application examines both X-Forwarded-Proto and X-Forwarded-Port headers without validating their source, which can lead to security issues if the headers come from untrusted proxies (GitHub Advisory).

The vulnerability can be exploited to perform XSS attacks through manipulation of fully-qualified URLs in links and URL poisoning. This could potentially allow attackers to bypass security controls and manipulate application behavior by controlling how URLs are constructed and interpreted by the application (GitHub Advisory).

Users should upgrade to version 2.11.1 or later which introduces the FilterServerRequestInterface for proper header validation. For those unable to upgrade, web servers can be configured to reject X-Forwarded-* headers at the web server level. The patch includes FilterUsingXForwardedHeaders which provides named constructors to allow trusting headers only from specific IP addresses or CIDR subnets. By default, the new version only trusts proxies on private subnets (GitHub Advisory).