CVE-2025-1736

Name of the Vulnerable Software and Affected Versions PHP versions 8.1.* through 8.1.31 PHP versions 8.2.* through 8.2.27 PHP versions 8.3.* through 8.3.18 PHP versions 8.4.* through 8.4.4

Description The issue is related to the insufficient validation of end-of-line characters in user-supplied headers, which may prevent certain headers from being sent or lead to certain headers being misinterpreted. This can potentially impact the result and lead to denial of service or unexpected issues. The check has header() function is specifically mentioned as being related to this issue, where the lack of verification of r could lead to misbehavior if only is used in the header value.

Recommendations Update to PHP version 8.1.32 or later for versions 8.1.* Update to PHP version 8.2.28 or later for versions 8.2.* Update to PHP version 8.3.19 or later for versions 8.3.* Update to PHP version 8.4.5 or later for versions 8.4.* As a temporary workaround, consider disabling the check has header() function until a patch is available. Restrict access to user-supplied headers to minimize the risk of exploitation. Avoid using the Cookie header with user-input values until the issue is resolved.