VDB
DEBIAN-CVE-2025-1861
DEBIAN-CVE-2025-1861
PUBLISHED
CVSS 9.800000190734863 CRITICAL
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | php8.2 | 8.2.7-1.2, 8.2.10-1, 8.2.16-1 |
| Debian:13 | php8.4 | 0, 0 |
| Debian:14 | php8.4 | 0, 0 |
| Debian:11 | php7.4 | 7.4.33-1+deb11u5, 7.4.33-1+deb11u6, 7.4.33-1+deb11u7 |
Timeline
- Mar 30, 2025 CVE Published
- Apr 28, 2026 CVE Updated