Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-1861

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

Published

2025-03-30T06:15:14.957

Last Modified

2025-07-02T20:17:38.193

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-131

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	php	php	< 8.1.31	Yes
Application	php	php	< 8.2.26	Yes
Application	php	php	< 8.3.14	Yes
Application	php	php	< 8.4.5	Yes
Application	netapp	ontap	9	Yes

References

https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20250523-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)