CVE-2025-1861

216.73.216.6

· Published 30/03/2025 06:15 · Modified 30/03/2025 06:15

Labels: CVE-2025-1861 2025-03-30 CVE-2025-1861 CWE-131 [email protected]

Essential information

Published: 30/03/2025 06:15
Modified: 30/03/2025 06:15
Author: —
Creator: —
CVSS: 6.3 MEDIUM (v3) 6.3 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
php / php	`cpe:2.3:a:php:php:8.1.:<8.1.32>:::::*`
php / php	`cpe:2.3:a:php:php:8.2.:<8.2.28>:::::*`
php / php	`cpe:2.3:a:php:php:8.3.:<8.3.19>:::::*`
php / php	`cpe:2.3:a:php:php:8.4.:<8.4.5>:::::*`