Summary
Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack
Workarounds
Infrastructure or DevOps can configure web servers to reject X-Forwarded-* headers at the web server level.
Users of laminas/laminas-diactoros can make use of the Laminas\Diactoros\RequestFilter\RequestFilterInterface functionality in order to either (a) disable usage of the X-Forwarded-* headers entirely, (b) opt-in to it, or (c) opt-in to the usage for configured proxy servers.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in laminas/laminas-diactoros
- Email us
Impact
Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2022-31109 has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.11.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Any version after 2.11.0.
Starting in laminas/laminas-diactoros 2.11.1, we have added Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface, which defines the single method __invoke(Psr\Http\Message\ServerRequestInterface $request): Psr\Http\Message\ServerRequestInterface. Filters implementing this interface allow modifying and returning a generated ServerRequest.
The primary use case of the interface is to allow modifying the generated URI based on the presence of headers such as X-Forwarded-Host. When operating behind a reverse proxy, the Host header is often rewritten to the name of the node to which the request is being forwarded, and an X-Forwarded-Host header is generated with the original Host value to allow the server to determine the original host the request was intended for. (We have always examined the X-Forwarded-Proto header; as of Diactoros 2.11.1, we also examine the X-Forwarded-Port header.) To accommodate this use case, we created Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders.
Due to potential security issues, it is generally best to only accept these headers if you trust the reverse proxy that has initiated the request.
(This value is found in $_SERVER['REMOTE_ADDR'], which is present as $request->getServerParams()['REMOTE_ADDR'] within PSR-7 implementations.) FilterUsingXForwardedHeaders provides named constructors to allow you to trust these headers from any source (which has been the default behavior of Diactoros since the beginning), or to specify specific IP addresses or CIDR subnets to trust, along with which headers are trusted.
Laminas\Diactoros\ServerRequestFactory::fromGlobals() was updated to accept a FilterServerRequestInterface as an additional, optional argument. Since the X-Forwarded-* headers do have valid use cases, particularly in clustered environments using a load balancer, to prevent backwards compatibility breaks, if no filter is provided, we generate an instance via FilterUsingXForwardedHeaders::trustReservedSubnets(), which generates an instance marked to trust only proxies on private subnets.
Frequently Asked Questions
- What is CVE-2022-31109? CVE-2022-31109 is a medium-severity cross-site scripting (XSS) vulnerability in laminas/laminas-diactoros (composer), affecting versions < 2.11.1. It is fixed in 2.11.1. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is CVE-2022-31109? CVE-2022-31109 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of laminas/laminas-diactoros are affected by CVE-2022-31109? laminas/laminas-diactoros (composer) versions < 2.11.1 is affected.
- Is there a fix for CVE-2022-31109? Yes. CVE-2022-31109 is fixed in 2.11.1. Upgrade to this version or later.
- Is CVE-2022-31109 exploitable, and should I be worried? Whether CVE-2022-31109 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2022-31109 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2022-31109? Upgrade
laminas/laminas-diactorosto 2.11.1 or later.