GHSA-wjfc-pgfp-pv9c: 
PHP vulnerability analysis and mitigation

The vulnerability (CVE-2023-29197) affects nyholm/psr7, a PSR-7 HTTP message library implementation in PHP. Discovered and disclosed in April 2023, this vulnerability involves improper header parsing that affects versions prior to 1.6.1. The issue is a follow-up to CVE-2022-24775 where the previous fix was incomplete (GitHub Advisory, Debian Security).

The vulnerability allows attackers to exploit improper header parsing mechanisms. Specifically, an attacker could inject newline characters (\n) into both header names and values. While the HTTP specification (RFC 7230) states that \r\n\r\n should be used to terminate the header list, many servers also accept \n\n, creating a potential security risk. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

The vulnerability could allow attackers to manipulate header parsing behavior, potentially leading to security implications through header injection attacks. The impact primarily affects the integrity of the header processing, though the specific impact is rated as Low according to the CVSS scoring (GitHub Advisory).

The vulnerability has been patched in version 1.6.1 of nyholm/psr7. There are no known workarounds for this vulnerability, and users are strongly advised to upgrade to the patched version (GitHub Advisory).