CVE-2025-1736 | Zend by Perforce

Stream HTTP wrapper header check might omit basic auth header

Publication Date	2025-03-14
Severity	Moderate
Type	Denial of Service
Affected PHP Versions	7.2.0-7.2.34 7.3.0-7.3.33 7.4.0-7.4.33 8.0.0-8.0.30 8.1.0-8.1.31 8.2.0-8.2.27 8.3.0-8.3.18 8.4.0-8.4.4
Fixed Product Versions	ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendPHP 8.4 ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. In the scenario that user-supplied headers used to make a request via the Streams API HTTP wrapper contain invalid end-of-line characters, later headers may not be sent, or may be misinterpreted by the receiving server.

Recommendations

Always validate user-supplied HTTP headers before making an HTTP request, and ensure they do not container invalid end-of-line characters. This can generally be done via a filter or regex prior to passing the headers on to the Streams API.

If possible, we recommend upgrading to a known patched version of PHP.

< View all CVEs