CVE-2025-1736

Stream HTTP wrapper header check might omit basic auth header

Publication Date 2025-03-14
Severity Moderate
Type Remote Code Execution
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.31
  • 8.2.0-8.2.27
  • 8.3.0-8.3.18
  • 8.4.0-8.4.4
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. In the scenario that user-supplied headers used to make a request via the Streams API HTTP wrapper contain invalid end-of-line characters, later headers may not be sent, or may be misinterpreted by the receiving server.

Recommendations

Always validate user-supplied HTTP headers before making an HTTP request, and ensure they do not container invalid end-of-line characters. This can generally be done via a filter or regex prior to passing the headers on to the Streams API.

If possible, we recommend upgrading to a known patched version of PHP.