Jakub Zelenka

Name of the Vulnerable Software and Affected Versions: PHP versions up to 8.1.31 PHP versions up to 8.2.27 PHP versions up to 8.3.18 PHP versions up to 8.4.4 php7.4 Description: The issue concerns the Streams HTTP Wrapper in PHP. Recommendations: For PHP versions up to 8.1.31, update to a version later than 8.1.31. For PHP versions up to 8.2.27, update to a version later than 8.2.27. For PHP versions up to 8.3.18, update to a version later than 8.3.18. For PHP versions up to 8.4.4, update to a version later than 8.4.4. For php7.4, consider upgrading to a newer version of PHP.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.1.* through 8.1.31 PHP versions 8.2.* through 8.2.27 PHP versions 8.3.* through 8.3.18 PHP versions 8.4.* through 8.4.4 **Description** The issue is related to the insufficient validation of end-of-line characters in user-supplied headers, which may prevent certain headers from being sent or lead to certain headers being misinterpreted. This can potentially impact the result and lead to denial of service or unexpected issues. The `check has header()` function is specifically mentioned as being related to this issue, where the lack of verification of `r` could lead to misbehavior if only ` ` is used in the header value. **Recommendations** Update to PHP version 8.1.32 or later for versions 8.1.* Update to PHP version 8.2.28 or later for versions 8.2.* Update to PHP version 8.3.19 or later for versions 8.3.* Update to PHP version 8.4.5 or later for versions 8.4.* As a temporary workaround, consider disabling the `check has header()` function until a patch is available. Restrict access to user-supplied headers to minimize the risk of exploitation. Avoid using the `Cookie` header with user-input values until the issue is resolved.

## Vulnerability Report **Name of the Vulnerable Software and Affected Versions** PHP versions 8.1.0 through 8.1.31 PHP versions 8.2.0 through 8.2.27 PHP versions 8.3.0 through 8.3.18 PHP versions 8.4.0 through 8.4.4 PHP 7.4 (Debian) **Description** PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A vulnerability exists in PHP due to a limited location buffer size when parsing HTTP redirects. This can lead to incorrect URL truncation and redirection to a wrong location. **Recommendations** PHP versions 8.1.0 through 8.1.31: Upgrade to version 8.1.32 or later. PHP versions 8.2.0 through 8.2.27: Upgrade to version 8.2.28 or later. PHP versions 8.3.0 through 8.3.18: Upgrade to version 8.3.19 or later. PHP versions 8.4.0 through 8.4.4: Upgrade to version 8.4.5 or later. PHP 7.4 (Debian): Upgrade to a newer version.