CVE-2025-1736

CWE-20 — Improper Input Validation9 documents7 sources

Severity

6.3MEDIUM

EPSS

0.6%

top 29.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP Netapp Ontap

Timeline

PublishedMar 30

Latest updateJul 17

Description

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶NVDphp/php8.1.0 — 8.1.32+3

▶CVEListV5php_group/php8.1.* — 8.1.32+3

▶Debianphp7.4< 7.4.33-1+deb11u8

▶Debianphp8.2< 8.2.28-1~deb12u1

▶Debianphp8.4< 8.4.5-1+1

Also affects: Ontap 9

🔴Vulnerability Details

OSV

php7.0, php7.2 vulnerabilities↗2025-07-17

▶

CVEList

Stream HTTP wrapper header check might omit basic auth header↗2025-03-30

▶

OSV

CVE-2025-1736: In PHP from 8↗2025-03-30

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2025-07-17

▶

Ubuntu

PHP vulnerabilities↗2025-03-31

▶

Red Hat

php: Stream HTTP wrapper header check might omit basic auth header↗2025-03-30

▶

Microsoft

Stream HTTP wrapper header check might omit basic auth header↗2025-03-11

▶

Debian

CVE-2025-1736: php7.4 - In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3...↗2025

▶