Summary: A series of security vulnerabilities in PHP pose significant risks to web applications, including information leaks and denial-of-service attacks. Key vulnerabilities include improper handling of HTTP headers, buffer limitations in redirects, and flaws in header parsing. Developers are urged to upgrade to the latest patched versions to safeguard against these vulnerabilities.
Affected: PHP programming language (versions prior to 8.1.32, 8.2.28, 8.3.18, and 8.4.5)
Keypoints :
- Critical issue CVE-2025-1861 involves truncation of redirect locations due to a buffer size limit, leading to possible information omissions and denial-of-service risks.
- CVE-2025-1734 allows header smuggling through improper validation of headers with invalid names, potentially causing parsing issues.
- CVE-2025-1217 highlights incorrect handling of folded headers, which may lead to misreported MIME types and misinterpretation of responses.
- Vulnerability CVE-2025-1219 pertains to incorrect content-type headers during redirects, risking security bypasses.
- CVE-2025-1736 involves poor verification of header values, raising the potential for denial-of-service attacks.
- Patched versions of PHP are available, and developers are strongly encouraged to update.