Listen to this Post
How the CVE Works
CVE-2025-1861 affects PHP versions 8.1. before 8.1.32, 8.2. before 8.2.28, 8.3. before 8.3.19, and 8.4. before 8.4.5. The vulnerability arises due to a buffer size limitation (1024 bytes) for HTTP redirect location headers, while RFC9110 recommends supporting up to 8000 bytes. When processing HTTP responses with long redirect URLs, PHP truncates the location value, potentially redirecting users to a malicious or incorrect destination. This flaw occurs in the HTTP client component, where insufficient validation allows attackers to manipulate redirects via crafted responses.
DailyCVE Form
Platform: PHP
Version: 8.1.-8.4. (pre-patch)
Vulnerability: HTTP Redirect Truncation
Severity: Medium
Date: 07/02/2025
Prediction: Patch expected by 08/15/2025
What Undercode Say
Check PHP version
php -v
Test redirect handling
curl -v -L "http://example.com/long-redirect-url"
Mitigation (temporary):
ini_set('user_agent', 'Custom-UA/1.0');
How Exploit
- Craft HTTP response with long `Location` header (>1024 bytes).
- Force victim to follow malicious truncated redirect.
- Bypass security checks via malformed URLs.
Protection from this CVE
- Update to PHP 8.1.32, 8.2.28, 8.3.19, or 8.4.5+.
- Validate redirect URLs server-side.
- Limit HTTP client redirect depth.
Impact
- Phishing via fake redirects.
- Broken authentication flows.
- Unintended server access.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
