CVE-2025-1217

Header parser of `http` stream wrapper does not handle folded headers

Publication Date 2025-03-14
Severity Critical
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.31
  • 8.2.0-8.2.27
  • 8.3.0-8.3.18
  • 8.4.0-8.4.4
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. When using the PHP stream wrapper to make an HTTP request, folded headers can be parsed incorrectly, leading to misinterpreting the response and all following headers. This could affect the detected Content Type, authorization, and more.

Recommendations

If you are unable to upgrade, but can use an alternative HTTP fetching mechanism such as the cURL extension, we recommend switching immediately.

Otherwise, we recommend upgrading to a known patched version of PHP.