CVE-2025-1861
Published: 30 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-1861 is a buffer size calculation vulnerability (CWE-131) affecting PHP versions 8.1 prior to 8.1.32, 8.2 prior to 8.2.28, 8.3 prior to 8.3.19, and 8.4 prior to 8.4.5. The issue arises during parsing of HTTP redirect responses, where the Location header value is limited by a 1024-byte buffer, falling short of the 8000-byte recommendation in RFC 9110. This results in potential truncation of long Location URLs, causing redirection to an unintended destination.
A remote, unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required (CVSSv3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting an HTTP response with an oversized Location header, the attacker tricks a vulnerable PHP client into following a truncated URL, potentially redirecting users to a malicious site and enabling phishing, data theft, or further compromise.
Advisories from PHP (GHSA-52jp-hrpf-2jff), Debian LTS, and NetApp recommend upgrading to patched versions: PHP 8.1.32, 8.2.28, 8.3.19, or 8.4.5. These updates increase the buffer size to align with RFC 9110 standards, preventing truncation during redirect parsing.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in PHP's HTTP redirect response parsing (buffer truncation of Location header) allows a remote attacker to force a vulnerable PHP client to follow a crafted/truncated URL to a malicious destination, directly enabling exploitation for client execution and subsequent compromise (e.g., phishing or data theft).