CVE-2026-53723 guzzle CVE debrief

Who should care

Users of Guzzle Services who serialize outgoing requests using the library are affected by this vulnerability. Specifically, applications that use `guzzlehttp/guzzle-services` to serialize outgoing requests, where a request parameter or `additionalParameters` schema uses `location: xml`, and the value is serialized as XML element text, not an XML attribute, are vulnerable.

Technical summary

The vulnerability arises from the library's use of `XMLWriter::writeCData($value)` to serialize scalar XML element values. If attacker-controlled input contains `]]>`, the CDATA section closes early, and the remainder is interpreted as XML markup. To mitigate this vulnerability, users can update to version 1.5.3 or later, which safely splits embedded CDATA terminators before serialization.

Defensive priority

MEDIUM

Recommended defensive actions

• Update to version 1.5.3 or later of Guzzle Services.
• Constrain attacker-controlled XML element values with a strict `enum`, `pattern`, or custom filter that excludes `]]>`.
• Avoid serializing untrusted data into `location: xml` element text until patched.

Evidence notes

The vulnerability is patched in `1.5.3` and later by safely splitting embedded CDATA terminators before serialization. The fix preserves the original scalar value as XML text and prevents injected nodes.

Official resources