CVE-2025-1734

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-1734

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1734.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-1734

Aliases

Downstream

BELL-CVE-2025-1734

DEBIAN-CVE-2025-1734

DLA-4088-1

DSA-5878-1

MINI-4252-xmvh-7qc4

MINI-48w3-6hp5-q2v5

MINI-mh8r-pjw4-96g5

MINI-x254-fpw7-927v

OESA-2025-1302

OESA-2025-1303

OESA-2025-1304

OESA-2025-1305

OESA-2025-1306

RHSA-2025:15687

RHSA-2025:4263

RHSA-2025:7418

RHSA-2025:7431

RHSA-2025:7432

RHSA-2025:7489

RLSA-2025:4263

RLSA-2025:7418

RLSA-2025:7431

RLSA-2025:7432

RLSA-2025:7489

SUSE-SU-2025:0994-1

SUSE-SU-2025:1012-1

SUSE-SU-2025:1025-1

SUSE-SU-2025:1026-1

UBUNTU-CVE-2025-1734

USN-7400-1

USN-7645-1

openSUSE-SU-2025:14895-1

Related

Published

2025-03-30T06:15:14Z

Modified

2025-08-11T15:13:36.754545Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type: GIT
Repo: https://github.com/php/php-src
Events: Introduced

381ba9f5d0edd0c9c8ec1dea7e21d513ad08b115

Fixed

aa4bed90d8927de8c2648ea5f3f4a32c56301b71