Cyber Resilience

CVE-2025-1736

Medium

Published: 30 March 2025

Published
30 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 68.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1736 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Php Php. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1736 affects PHP versions 8.1 prior to 8.1.32, 8.2 prior to 8.2.28, 8.3 prior to 8.3.19, and 8.4 prior to 8.4.5. The vulnerability arises from insufficient validation of end-of-line characters in user-supplied headers when they are sent, which may prevent certain headers from being transmitted or cause them to be misinterpreted. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-20 (Improper Input Validation). The issue was published on 2025-03-30.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Exploitation occurs in scenarios where applications send user-supplied headers, allowing attackers to craft inputs that disrupt header processing. Successful attacks can result in low impacts to confidentiality, integrity, and availability, such as preventing legitimate headers from reaching their destination or causing misinterpretation that alters header behavior.

Mitigation involves upgrading to patched PHP versions: 8.1.32, 8.2.28, 8.3.19, or 8.4.5. Relevant advisories include the PHP security advisory at https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528, Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html, and NetApp advisory at https://security.netapp.com/advisory/ntap-20250523-0006/.

EU & UK References

Vulnerability details

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to…

more

certain headers be misinterpreted.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remote, unauthenticated network exploit in PHP's header processing due to improper input validation on EOL characters, directly enabling exploitation of public-facing web applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1861Same product: Netapp Ontap
CVE-2025-24970Same product class: NAS / storage appliance
CVE-2026-6722Same product: Php Php
CVE-2024-10442Same product class: NAS / storage appliance
CVE-2024-45538Same product class: NAS / storage appliance
CVE-2025-59385Same product class: NAS / storage appliance
CVE-2025-52425Same product class: NAS / storage appliance
CVE-2024-10441Same product class: NAS / storage appliance
CVE-2025-59384Same product class: NAS / storage appliance
CVE-2024-13086Same product class: NAS / storage appliance

Affected Assets

php
php
8.1.0 — 8.1.32 · 8.2.0 — 8.2.28 · 8.3.0 — 8.3.19
netapp
ontap
9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied information inputs at system entry points, addressing the improper validation of end-of-line characters in headers.

prevent

Ensures flaws like this PHP input validation vulnerability are identified and remediated through timely patching to fixed versions.

prevent

Filters information outputs prior to transmission, helping sanitize user-supplied headers to mitigate misinterpretation due to invalid end-of-line characters.

References