CVE-2025-1734

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
phpCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
VendorProductVersion
phpphp
8.1.0 ≤
𝑥
< 8.1.32
phpphp
8.2.0 ≤
𝑥
< 8.2.28
phpphp
8.3.0 ≤
𝑥
< 8.3.19
phpphp
8.4.0 ≤
𝑥
< 8.4.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
vulnerable
bullseye (security)
7.4.33-1+deb11u8
fixed
php8.2
bookworm
8.2.28-1~deb12u1
fixed
bookworm (security)
8.2.28-1~deb12u1
fixed
php8.4
trixie
8.4.10-1
fixed
sid
8.4.10-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
trusty
needs-triage
php7.0
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
xenial
needs-triage
php7.2
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
needs-triage
php7.4
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
Fixed 7.4.3-4ubuntu2.29
released
php8.1
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 8.1.2-1ubuntu2.21
released
focal
dne
php8.3
plucky
dne
oracular
Fixed 8.3.11-0ubuntu0.24.10.5
released
noble
Fixed 8.3.6-0ubuntu0.24.04.4
released
jammy
dne
focal
dne
php8.4
plucky
Fixed 8.4.5-1
released
oracular
dne
noble
dne
jammy
dne
focal
dne
Common Weakness Enumeration
References
https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44
https://security.netapp.com/advisory/ntap-20250523-0009/