CVE-2025-1734

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-1734

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-1734.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-1734

Aliases

Downstream

AZL-59315

AZL-59334

BELL-CVE-2025-1734

DEBIAN-CVE-2025-1734

DLA-4088-1

DSA-5878-1

MGASA-2025-0100

MINI-4252-xmvh-7qc4

MINI-48w3-6hp5-q2v5

MINI-mh8r-pjw4-96g5

MINI-x254-fpw7-927v

OESA-2025-1302

OESA-2025-1303

OESA-2025-1304

OESA-2025-1305

OESA-2025-1306

RHSA-2025:15687

RHSA-2025:4263

RHSA-2025:7418

RHSA-2025:7431

RHSA-2025:7432

RHSA-2025:7489

RHSA-2026:2470

RLSA-2025:15687

RLSA-2025:4263

RLSA-2025:7418

RLSA-2025:7431

RLSA-2025:7432

RLSA-2025:7489

RLSA-2026:2470

SUSE-SU-2025:0994-1

SUSE-SU-2025:1012-1

SUSE-SU-2025:1025-1

SUSE-SU-2025:1026-1

UBUNTU-CVE-2025-1734

USN-7400-1

USN-7645-1

openSUSE-SU-2025:14895-1

Related

Published

2025-03-30T05:43:35.771Z

Modified

2026-05-15T11:53:15.031411646Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Streams HTTP wrapper does not fail for headers with invalid name and no colon

Details

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

Database specific

{
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/1xxx/CVE-2025-1734.json",
    "cna_assigner": "php"
}

References

Affected packages