CVE-2025-1861

About vulnerability

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

Affected product:

AlmaLinux 9.2 ESU , Alpine Linux 3.18 ELS , Alpine Linux 3.22 , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 6 ELS , CloudLinux 7 ELS , Debian 10 , Debian 10 ELS , Debian 11 , Debian 12 , Debian 13 , EL 10 , EL 6 , EL 7 , EL 8 , EL 9 , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 , Ubuntu 16.04 ELS , Ubuntu 18.04 , Ubuntu 18.04 ELS , Ubuntu 20.04 , Ubuntu 20.04 ELS , Ubuntu 22.04 , Ubuntu 24.04 , Windows 10

Affected packages:

php @ 7.4 (+179 more)

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.