CVE-2025-1734
Streams HTTP wrapper does not fail for headers without colon
Publication Date | 2025-03-14 |
---|---|
Severity | Moderate |
Type | Cross-Site Request Forgery |
Affected PHP Versions |
|
Fixed Product Versions |
|
CVE Details
In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. This issue affects some unknown functionality of the component Streams HTTP Wrapper. Headers missing a colon (":
") are treated as valid, even though they are not, confusing applications into accepting invalid headers.
Recommendations
When using the Streams HTTP Wrapper, validate that your headers are properly formatted before sending the request.
If you are unable to make such changes, ensure that you have updated to a patched version of PHP to correct the issue.