CVE-2025-1736

CVE-2025-1736 affects PHP versions 8.1 prior to 8.1.32, 8.2 prior to 8.2.28, 8.3 prior to 8.3.19, and 8.4 prior to 8.4.5. The vulnerability arises from insufficient validation of end-of-line characters in user-supplied headers when they are sent, which may prevent certain headers from being transmitted or cause them to be misinterpreted. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-20 (Improper Input Validation). The issue was published on 2025-03-30.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Exploitation occurs in scenarios where applications send user-supplied headers, allowing attackers to craft inputs that disrupt header processing. Successful attacks can result in low impacts to confidentiality, integrity, and availability, such as preventing legitimate headers from reaching their destination or causing misinterpretation that alters header behavior.

Mitigation involves upgrading to patched PHP versions: 8.1.32, 8.2.28, 8.3.19, or 8.4.5. Relevant advisories include the PHP security advisory at https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528, Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html, and NetApp advisory at https://security.netapp.com/advisory/ntap-20250523-0006/.