Skip to main content

Streams HTTP wrapper does not fail for headers without colon

Publication Date 2025-03-14
Severity Moderate
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.2.0-7.2.34
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 7.29978486
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. This issue affects some unknown functionality of the component Streams HTTP Wrapper. Headers missing a colon (":") are treated as valid, even though they are not, confusing applications into accepting invalid headers.

Recommendations

When using the Streams HTTP Wrapper, validate that your headers are properly formatted before sending the request.

If you are unable to make such changes, ensure that you have updated to a patched version of PHP to correct the issue.