GHSA-9jxr-mwpp-w643: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-9jxr-mwpp-w643) affects the httpsoft/http-message package, a PHP HTTP message library implementation. Discovered and disclosed on April 17, 2023, this moderate severity vulnerability impacts versions prior to 1.0.12. The issue involves improper header validation that could allow attackers to manipulate header parsing (GitHub Advisory).

The vulnerability stems from improper header parsing mechanisms where an attacker could inject newline characters (\n) into both header names and values. While the HTTP specification (RFC 7230) states that \r\n\r\n is used to terminate the header list, many servers also accept \n\n. The vulnerability has a CVSS v3.1 base score of 5.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (GitHub Advisory, RFC 7230).

The vulnerability primarily affects the integrity of HTTP message processing. While there is no impact on confidentiality or availability, the vulnerability allows attackers to potentially manipulate header parsing, which could lead to security implications in applications relying on proper header handling (NVD).

The vulnerability has been patched in version 1.0.12 of httpsoft/http-message. There are no known workarounds, and users are strongly advised to upgrade to the patched version (GitHub Advisory).