GHSA-c8rp-cgf4-937w: 
PHP vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-c8rp-cgf4-937w) was identified in mezzio-swoole applications using Diactoros for their PSR-7 implementation. The vulnerability was published on July 25, 2022, and affects versions < 3.7.0 and versions >= 4.0.0, < 4.3.0 of the mezzio/mezzio-swoole package. This security issue is particularly concerning for applications that are either not behind a proxy or can be accessed via untrusted proxies (GitHub Advisory).

The vulnerability allows modification of the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request to reflect values from X-Forwarded-* headers. This occurs in the context of HTTP Host Header handling, potentially compromising the application's security (GitHub Advisory).

The exploitation of this vulnerability can lead to Cross-Site Scripting (XSS) attacks when fully-qualified URLs are used in links, and/or URL poisoning. This poses significant risks to applications that rely on the affected components (GitHub Advisory).

The vulnerability has been patched in versions 3.7.0 and 4.3.0 and later. The patches update the SwooleServerRequestFactory to filter out X-Forwarded-* headers when creating the initial request and implement a FilterUsingXForwardedHeaders instance that only honors X-Forwarded-* headers for private reserved subnets. As a workaround, organizations can place a trusted reverse proxy in front of the mezzio-swoole server (GitHub Advisory).