CVE-2024-8925

CWE-444HTTP Request SmugglingCWE-128612 documents7 sources
Severity
5.3MEDIUM
EPSS
2.4%
top 14.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PHP Group PHPPHP PHP
Timeline
PublishedOct 8
Latest updateFeb 26

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages10 packages

NVDphp/php8.1.08.1.30+2
CVEListV5php_group/php8.1.*8.1.30+2
Ubuntuphp5< 5.5.9+dfsg-1ubuntu4.29+esm16
Debianphp7.4< 7.4.33-1+deb11u6
Debianphp8.2< 8.2.24-1~deb12u1

🔴Vulnerability Details

5
OSV
php5 vulnerabilities2025-02-26
OSV
php7.0, php7.2 vulnerabilities2024-11-14
OSV
CVE-2024-8925: In PHP versions 82024-10-08
CVEList
Erroneous parsing of multipart form data2024-10-08
OSV
php7.4, php8.1, php8.3 vulnerabilities2024-10-01

📋Vendor Advisories

6
Ubuntu
PHP vulnerabilities2025-02-26
Ubuntu
PHP vulnerabilities2024-11-14
Microsoft
Erroneous parsing of multipart form data2024-10-08
Red Hat
php: Erroneous parsing of multipart form data2024-10-07
Ubuntu
PHP vulnerabilities2024-10-01
CVE-2024-8925 (MEDIUM CVSS 5.3) | In PHP versions 8.1.* before 8.1.30 | cvebase.io