Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
composer audit currently fails for projects using drupal/core-recommended:
Found 2 security vulnerability advisories affecting 1 package:
+-------------------+-----------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| CVE | CVE-2026-48998 |
| Title | guzzlehttp/psr7 has Host Confusion via Authority Reinte...|
| URL | https://github.com/advisories/GHSA-34xg-wgjx-8xph |
| Affected versions | <2.10.2 |
| Reported at | 2026-06-11T13:04:53+00:00 |
+-------------------+-----------------------------------------------------------+
+-------------------+-----------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| CVE | CVE-2026-49214 |
| Title | guzzlehttp/psr7 has CRLF Injection via URI Host Component |
| URL | https://github.com/advisories/GHSA-hq7v-mx3g-29hw |
| Affected versions | <2.10.2 |
| Reported at | 2026-06-11T13:04:47+00:00 |
+-------------------+-----------------------------------------------------------+
While these were fixed a few weeks ago (see https://github.com/advisories/GHSA-hq7v-mx3g-29hw), we can see the composer datasource was only registered with the vulnerabilities on June 11th.
I'm marking this as critical because even though core and contrib are unlikely to use Guzzle in a way to expose these issues, we can't know what code downstream users are bringing into their sites.
Steps to reproduce
composer create-project drupal/recommended-project:11.3.11 drupal && cd drupal && composer audit
Proposed resolution
drupal/core-recommended currently tracks ~2.8.0 making it impossible to upgrade to 2.10.2 without removing drupal/core-recommended. That line should probably be bumped to ~2.10.
Remaining tasks
Release notes snippet
Workaround
You can temporarily fetch the 2.11.0 version of guzzlehttp/psr and alias it to 2.8.1 with this:
composer require "guzzlehttp/psr7:2.11.0 as 2.8.1"
Revert this once a new Drupal core is released by deleting the guzzlehttp/psr7": "2.11.0 as 2.8.1", line in composer.json, and then updating Drupal core.
For details, see https://getcomposer.org/doc/articles/aliases.md.
Issue fork drupal-3599842
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
- 3599842-guzzlehttppsr7-needs-to-10.6.x
changes, plain diff MR !16045 - 3599842-guzzlehttppsr7-needs-to-11.3.x changes, plain diff MR !16048
- 3599842-guzzlehttppsr7-needs-to changes, plain diff MR !16044
- 3599842-guzzlehttppsr7-needs-to-11.4.x changes, plain diff MR !16047
- 3599842-guzzlehttppsr7-needs-to-11.x changes, plain diff MR !16046
Comments
Comment #2
joelpittetAdding workaround
As seen in #3592382: Update Twig to v3.27.0
Comment #4
godotislateWe start on
mainand then backport.Comment #12
godotislateMRs up for main, 11.3.x, and 10.6.x. Originally bumped to 2.11.0, but that introduced deprecations, so went to 2.10.4 instead.
11.x and 11.4.x were already on 2.10.4.
Comment #13
dwwI tried the same manual steps on all 3 branches:
main,11.3.x, and10.6.x. In every case:composer installthencomposer auditreveals the 2guzzlehttp/psr7vulnerabilities listed in the summary.composer install- Upgrading guzzlehttp/psr7 (2.8.0 => 2.10.4): Extracting archivecomposer audit- now clean.Confirmed we're already running 2.10 on
11.4.xand11.xbranches, and composer audit is already happy on those branches.Pipelines are green in all 3 MRs.
The diff is small, expected and the same in each.
Nothing to complain about. Ship it!
Thanks,
-Derek
Comment #18
catchCommitted/pushed to main, 11.3.x and 10.6.x, thanks!
Added credit for @longwave for slack discussion.
Comment #21
dwwThanks!
Doesn't look like you pushed the 11.3.x commit. Or the push failed. But I'm not seeing a commit on that branch via git pull (and there's no mention of it here).
Comment #23
catchShould be up now, thanks for spotting!
Comment #24
jamesoakleyFor site maintainers: Do we live with the officially insecure version of
guzzlehttp/psr7until the next release of Drupal Core, or make changes to our composer.json so that it can be updated before then?Comment #25
joelpittet@jamesoakley RE#24 I used the workaround in comment #2 #3599842-2: guzzlehttp/psr7 needs to be updated to >2.10.2 to fix 2 security issues then my alerts stop yelling at me for the weekend. It probably depends on your risk tolerance (and in this case what sites you are guzzling from)
linkcheckercomes to mind, but it only reads HEAD by default, so maybe mitigated.You can also remove
drupal/core-recommendedand just go withdrupal/coreto live closer to the unstable edge of things. But you might end up with incompatible versions (or minor things like @godotislate mentioned in #12 where it shows deprecation messages)... 🪨😬🧱Comment #26
ressaThanks for fixing this so fast. Since the similar
twig/twigepisode, I had a chance to experiment with how to revert a Composer alias, and you simply delete the alias line in composer.json, and then update Drupal core which I have added in the Issue Summary.