do son 
A series of security vulnerabilities has been uncovered in the PHP programming language, potentially exposing web applications to a range of attacks. The vulnerabilities affect various aspects of PHP’s HTTP stream wrapper, presenting risks from information leaks to denial-of-service.
One critical issue, tracked as CVE-2025-1861, involves the stream HTTP wrapper truncating redirect locations. “There is currently a limit on the location value size caused by limited size of the location buffer to 1024,” which falls short of the recommended 8000 bytes as per RFC 9110. This limitation can lead to the omission of critical information from the URI or even redirection to unintended resources. In severe cases, “it could even result in DOS of the remote site if the truncated URL results in error.”
Another significant vulnerability, CVE-2025-1734, concerns how the streams HTTP wrapper handles headers with invalid names. The issue arises because headers without a colon are returned without any errors, and headers containing a space in the header name (before the colon) are also not flagged as invalid. This can cause problems when applications parse the response headers. “So some sort of request smuggling could be possible in this case,” the advisory warns.
CVE-2025-1217 highlights a flaw in the header parser of the http stream wrapper, where folded headers are not handled correctly. The parser incorrectly interprets header lines beginning with whitespace as new headers rather than continuations of the previous one. This can lead to incorrect MIME type reporting and misparsing of responses, potentially causing applications to interpret responses incorrectly, especially after redirects.
The libxml streams also contain a vulnerability, CVE-2025-1219, where the wrong content-type header is used when requesting a redirected resource. When the HTTP stream wrapper follows a redirect, it doesn’t clear the list of captured headers, causing headers from multiple requests to be stored together. The php_libxml_input_buffer_create_filename() function then scans this combined header array and may use a content-type header that doesn’t belong to the final response, potentially leading to incorrect parsing and security bypasses.
Finally, CVE-2025-1736 describes a vulnerability in the stream HTTP wrapper header check. The header check does not properly verify the presence of \r, which could lead to misbehavior if only \n is used in the header value. If a user provides this value without proper checking, it could, for example, disable the sending of the authorization header if a newline character is injected before it. “That could potentially impact the result and lead potentially to DoS or potentially to some unexpected issues,” the advisory states. This issue also has implications for other headers, such as the user-agent.
These vulnerabilities affect PHP versions prior to 8.1.32, 8.2.28, 8.3.18, and 8.4.5. Patched versions are now available: 8.1.32, 8.2.28, 8.3.19, and 8.4.5. PHP developers are strongly advised to update to these patched versions to mitigate the risks posed by these security flaws.
Related Posts:
- Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
- Microsoft Defender flags Office update as ransomware
- Beyond HTML: The Hidden Danger of Phishing in HTTP Response Headers
