Skip to main content

Stream HTTP wrapper header check might omit basic auth header

Publication Date 2025-03-14
Severity Low
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.2.0-7.2.34
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 7.29685875
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. In the scenario that user-supplied headers used to make a request via the Streams API HTTP wrapper contain invalid end-of-line characters, later headers may not be sent, or may be misinterpreted by the receiving server.

Recommendations

Always validate user-supplied HTTP headers before making an HTTP request, and ensure they do not container invalid end-of-line characters. This can generally be done via a filter or regex prior to passing the headers on to the Streams API.

If possible, we recommend upgrading to a known patched version of PHP.