CVE-2025-1736

Stream HTTP wrapper header check might omit basic auth header

Publication Date	2025-03-14
Severity	Low
Type	Cross-Site Request Forgery
Affected PHP Versions	7.2.0-7.2.34
Fixed Product Versions	ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 7.29685875 ZendPHP 8.0 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendPHP 8.4 ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. In the scenario that user-supplied headers used to make a request via the Streams API HTTP wrapper contain invalid end-of-line characters, later headers may not be sent, or may be misinterpreted by the receiving server.

Recommendations

Always validate user-supplied HTTP headers before making an HTTP request, and ensure they do not container invalid end-of-line characters. This can generally be done via a filter or regex prior to passing the headers on to the Streams API.

If possible, we recommend upgrading to a known patched version of PHP.

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations