There is a security issue with "guzzlehttp/guzzle" version 6.5.5 which is currently bundeled with MediaWiki LTS version 1.35 (branch REL1_35)
See https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
Apparently this has already been fixed in several branches of the mediawiki-vendor directory. But I couldn't find an open change to the mediawiki repository itself.
This should be fixed in REL1_35 only, as newer branches already have more recent versions of "guzzlehttp/guzzle".