PT-2025-11343 · Php+11 · Php+11
Tim Düsterhus
·
Published
2025-01-01
·
Updated
2026-02-10
·
CVE-2025-1217
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A |
Name of the Vulnerable Software and Affected Versions
PHP versions 8.1.* through 8.1.31
PHP versions 8.2.* through 8.2.27
PHP versions 8.3.* through 8.3.18
PHP versions 8.4.* through 8.4.4
Description
The issue is related to the incorrect parsing of folded headers in HTTP responses by the http request module in PHP. This may lead to misinterpreting the response and using incorrect headers, MIME types, etc. The vulnerability can be exploited by a remote attacker to send hidden HTTP requests.
Recommendations
For PHP versions 8.1.* through 8.1.31, update to version 8.1.32 or later.
For PHP versions 8.2.* through 8.2.27, update to version 8.2.28 or later.
For PHP versions 8.3.* through 8.3.18, update to version 8.3.19 or later.
For PHP versions 8.4.* through 8.4.4, update to version 8.4.5 or later.
As a temporary workaround, consider restricting access to the http stream wrapper until a patch is available.
Exploit
Fix
HTTP Request/Response Smuggling
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Php
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu