CVE-2025-1861
Stream HTTP wrapper truncates redirect location to 1024 bytes
9.8
CRITICAL
CVSS 3.1
EPSS 1.0%
Description
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
How to fix CVE-2025-1861
To remediate CVE-2025-1861, upgrade the affected package to a fixed version below.
- —upgrade to 8.1.32 or later
- —upgrade to 8.1.32 or later
- —upgrade to 8.1.32 or later
- —upgrade to 7.4.33-1+deb11u8 or later
- —upgrade to 8.2.28-1~deb12u1 or later
- —upgrade to 8.4.5-1 or later
Is CVE-2025-1861 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5
- from 0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5
- from 0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5
- from 0, < 7.4.33-1+deb11u8
- from 0, < 8.2.28-1~deb12u1
- from 0, < 8.4.5-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |