CVE-2025-1861

Stream HTTP wrapper truncate redirect location to 1024 bytes

Publication Date 2025-03-14
Severity Critical
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.31
  • 8.2.0-8.2.27
  • 8.3.0-8.3.18
  • 8.4.0-8.4.4
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. When parsing an HTTP redirect in a response to an HTTP request sent via the PHP Stream API's HTTP wrapper, these versions limited the Location header value size to 1024. However, RFC-9110 defines a limit of 8000. As such, URL truncation could occur, which would result in redirection to the wrong location.

Recommendations

If you are able to use an alternative HTTP client mechanism that implements RFC-9110 correctly, such as the cURL extension, we recommend switching to this if you are unable to update immediately.

Otherwise, we recommend upgrading to a known patched version of PHP.