GHSA-8jp9-mpv9-98rj: 
PHP vulnerability analysis and mitigation

A security vulnerability was identified in amphp/http-client affecting versions 4.0.0 to 4.4.0, involving header leakage during cross-domain redirects. The vulnerability was discovered and patched on June 16, 2020, with the release of version 4.4.0. The issue has been assigned the identifier GHSA-8jp9-mpv9-98rj and is classified as a moderate severity vulnerability (GitHub Advisory).

The vulnerability stems from a flaw in the Message::setHeaders functionality where it did not correctly replace the entire set of headers but only operated on the headers matching the given array keys. This implementation weakness could result in sensitive request headers from the initial request being leaked to the redirected host during cross-domain redirects. The vulnerability has been assigned a CVSS v3.1 score of 4.0 (Moderate) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N (GitHub Advisory).

The vulnerability could lead to the exposure of sensitive header information when requests are redirected across different domains. This could potentially compromise security by revealing sensitive information to unintended recipients (GitHub Advisory).

The vulnerability has been fixed in version 4.4.0 of amphp/http-client. Users are advised to upgrade to this version or later to address the security weakness. The fix involves correctly removing headers on redirects to different hosts (Release Notes).