DEBIAN-CVE-2025-1734

DEBIAN-CVE-2025-1734 PUBLISHED CVSS 5.300000190734863 MEDIUM

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

Risk Scores

CVSS 3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor	Product	Versions
Debian:13	php8.4	0, 0
Debian:12	php8.2	8.2.12-1, 8.2.16-1, 8.2.16-2
Debian:11	php7.4	*, 7.4.26-1, 7.4.30-1+deb11u1
Debian:14	php8.4	0, 0

Exploit Intelligence

CVE-2025-1734.json (github-poc)
index.php (github-poc)
cve_db.json (github-poc)

Timeline

Mar 30, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-1734 advisory

Open in Interactive Console →