CVE-2025-1736
Published: 30 March 2025
Summary
CVE-2025-1736 is a high-severity Improper Input Validation (CWE-20) vulnerability in Php Php. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-supplied information inputs at system entry points, addressing the improper validation of end-of-line characters in headers.
Ensures flaws like this PHP input validation vulnerability are identified and remediated through timely patching to fixed versions.
Filters information outputs prior to transmission, helping sanitize user-supplied headers to mitigate misinterpretation due to invalid end-of-line characters.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote, unauthenticated network exploit in PHP's header processing due to improper input validation on EOL characters, directly enabling exploitation of public-facing web applications.
NVD Description
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to…
more
certain headers be misinterpreted.
Deeper analysisAI
CVE-2025-1736 affects PHP versions 8.1 prior to 8.1.32, 8.2 prior to 8.2.28, 8.3 prior to 8.3.19, and 8.4 prior to 8.4.5. The vulnerability arises from insufficient validation of end-of-line characters in user-supplied headers when they are sent, which may prevent certain headers from being transmitted or cause them to be misinterpreted. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-20 (Improper Input Validation). The issue was published on 2025-03-30.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Exploitation occurs in scenarios where applications send user-supplied headers, allowing attackers to craft inputs that disrupt header processing. Successful attacks can result in low impacts to confidentiality, integrity, and availability, such as preventing legitimate headers from reaching their destination or causing misinterpretation that alters header behavior.
Mitigation involves upgrading to patched PHP versions: 8.1.32, 8.2.28, 8.3.19, or 8.4.5. Relevant advisories include the PHP security advisory at https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528, Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html, and NetApp advisory at https://security.netapp.com/advisory/ntap-20250523-0006/.
Details
- CWE(s)