CVE-2025-1861

CRITICAL

PHP <8.1.32, <8.2.28, <8.3.19, <8.4.5 - Info Disclosure

Title source: llm

Description

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

References (3)

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html

[Vendor Advisory] https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250523-0005/

Scores

CVSS v3 9.8

EPSS 0.0103

EPSS Percentile 77.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-131

Status published

Products (2)

netapp/ontap 9

php/php 8.1.0 - 8.1.31

Published Mar 30, 2025

Tracked Since Feb 18, 2026