CVE-2024-11234

Name of the Vulnerable Software and Affected Versions: PHP versions 8.1.* before 8.1.31 PHP versions 8.2.* before 8.2.26 PHP versions 8.3.* before 8.3.14

Description: The issue is related to the configuration of the request fulluri option in PHP, which can lead to HTTP request smuggling when using streams with a configured proxy. This can allow an attacker to perform arbitrary HTTP requests originating from the server, potentially gaining access to resources not normally available to the external user. The exploitation of this issue may enable a remote attacker to send hidden HTTP requests.

Recommendations: For PHP versions 8.1.* before 8.1.31, update to version 8.1.31 or later. For PHP versions 8.2.* before 8.2.26, update to version 8.2.26 or later. For PHP versions 8.3.* before 8.3.14, update to version 8.3.14 or later. As a temporary workaround, consider disabling the use of the request fulluri option with configured proxies until a patch is available. Restrict access to the proxy handler to minimize the risk of exploitation. Avoid using the request fulluri option in streams with configured proxies until the issue is resolved.