Security Advisory: ZF2015-05

ZF2015-05: Potential XSS and Open Redirect vectors in zend-diactoros

The Drupal Security Team notified us of a potential issue with the Diactoros URI implementation. Diactoros is a PSR-7 implementation of HTTP messages.

If the path from a Zend\Diactoros\Uri instance is used to generate links, form targets, or headers, and omits the scheme and authority, a potential XSS and/or open redirect vector is possible if the path starts with double slashes and a path segment that validates as a hostname; in such a situation, it may be interpreted as a scheme-relative link.

The vulnerability exists in all stable versions of zend-diactoros prior to 1.0.4.

Action Taken

Zend\Diactoros\Uri::filterPath() was updated to ensure that the returned path will never begin with double slashes. Tests were also added to prevent a regression in the future.

The patch fixing the issues has been applied in the following versions:

  • zend-diactoros 1.0.4

This vulnerability has also been disclosed as CVE-2015-3257.


If you are using Zend\Diactoros\Uri to generate links, form targets, or headers without including the scheme and authority, we recommend:

  • Upgrading immediately to zend-diactoros 1.0.4.
  • Consider altering your code to generate absolute URIs (which can be done by simply casting the Uri instance to a string).

Other Information


The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Released 2015-06-25

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2021 by Zend by Perforce. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.