CVE-2025-1734

Streams HTTP wrapper does not fail for headers without colon

Publication Date2025-03-14
SeverityHigh
TypeCross-Site Request Forgery
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.31
  • 8.2.0-8.2.27
  • 8.3.0-8.3.18
  • 8.4.0-8.4.4
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. This issue affects some unknown functionality of the component Streams HTTP Wrapper. Headers missing a colon (":") are treated as valid, even though they are not, confusing applications into accepting invalid headers.

Recommendations

If you are using the PHP streams HTTP wrapper to make HTTP requests, we recommend using another HTTP request extension, such as cURL, if you are unable to update.

Otherwise, we recommend upgrading to a known patched version of PHP.