CVE-2025-1217

CWE-20 — Improper Input Validation CWE-436 — Interpretation Conflict CWE-128413 documents8 sources

Severity

6.3MEDIUM

EPSS

0.1%

top 73.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP

Timeline

PublishedMar 29

Latest updateJan 13

Description

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages10 packages

▶NVDphp/php8.1.0 — 8.1.32+3

▶CVEListV5php_group/php8.1.* — 8.1.32+3

▶Debianphp7.4< 7.4.33-1+deb11u8

▶Debianphp8.2< 8.2.28-1~deb12u1

▶Debianphp8.4< 8.4.5-1+1

🔴Vulnerability Details

OSV

drm/xe: Limit num_syncs to prevent oversized allocations↗2026-01-13

▶

OSV

php7.0, php7.2 vulnerabilities↗2025-07-17

▶

OSV

php7.4, php8.1, php8.3 vulnerabilities↗2025-03-31

▶

OSV

CVE-2025-1217: In PHP from 8↗2025-03-29

▶

CVEList

Header parser of http stream wrapper does not handle folded headers↗2025-03-29

▶

📋Vendor Advisories

Red Hat

kernel: drm/xe: Limit num_syncs to prevent oversized allocations↗2026-01-13

▶

Ubuntu

PHP vulnerabilities↗2025-07-17

▶

Ubuntu

PHP vulnerabilities↗2025-03-31

▶

Red Hat

php: Header parser of http stream wrapper does not handle folded headers↗2025-03-29

▶

Microsoft

Header parser of http stream wrapper does not handle folded headers↗2025-03-11

▶