CVE-2025-1734

CWE-20 — Improper Input Validation CWE-416 — Use After Free10 documents7 sources

Severity

6.3MEDIUM

EPSS

0.4%

top 40.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP Netapp Ontap

Timeline

PublishedMar 30

Latest updateJul 17

Description

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages7 packages

▶NVDphp/php8.1.0 — 8.1.32+3

▶CVEListV5php_group/php8.1.* — 8.1.32+3

▶Debianphp7.4< 7.4.33-1+deb11u8

▶Debianphp8.2< 8.2.28-1~deb12u1

▶Debianphp8.4< 8.4.5-1+1

Also affects: Ontap 9

🔴Vulnerability Details

OSV

php7.0, php7.2 vulnerabilities↗2025-07-17

▶

CVEList

Streams HTTP wrapper does not fail for headers with invalid name and no colon↗2025-03-30

▶

OSV

CVE-2025-1734: In PHP from 8↗2025-03-30

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2025-07-17

▶

Ubuntu

PHP vulnerabilities↗2025-03-31

▶

Red Hat

php: Streams HTTP wrapper does not fail for headers with invalid name and no colon↗2025-03-30

▶

Microsoft

Streams HTTP wrapper does not fail for headers with invalid name and no colon↗2025-03-11

▶

Debian

CVE-2025-1734: php7.4 - In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3...↗2025

▶