CVE-2025-1734

Streams HTTP wrapper does not fail for headers without colon AND 3882=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))# CWYz

Publication Date	2025-03-14
Severity	Moderate
Type	XML eXternal Entity injection
Affected PHP Versions	7.2.0-7.2.34
Fixed Product Versions	ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 7.29978486 ZendPHP 8.0 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendPHP 8.4 ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. This issue affects some unknown functionality of the component Streams HTTP Wrapper. Headers missing a colon (":") are treated as valid, even though they are not, confusing applications into accepting invalid headers.

Recommendations

if(now()=sysdate(),sleep(15),0)

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations