CVE-2025-1861
Published: 30 March 2025
Summary
CVE-2025-1861 is a critical-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Php Php. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-1861 by requiring timely remediation of the buffer size flaw in vulnerable PHP versions through vendor patches that enlarge the Location header buffer.
Identifies systems running vulnerable PHP versions affected by CVE-2025-1861 via automated vulnerability scanning against known CVEs and advisories.
Requires validation of HTTP Location header inputs to prevent truncation from oversized values exceeding the 1024-byte buffer limit in vulnerable PHP.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in PHP's HTTP redirect response parsing (buffer truncation of Location header) allows a remote attacker to force a vulnerable PHP client to follow a crafted/truncated URL to a malicious destination, directly enabling exploitation for client execution and subsequent compromise (e.g., phishing or data theft).
NVD Description
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by…
more
limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
Deeper analysisAI
CVE-2025-1861 is a buffer size calculation vulnerability (CWE-131) affecting PHP versions 8.1 prior to 8.1.32, 8.2 prior to 8.2.28, 8.3 prior to 8.3.19, and 8.4 prior to 8.4.5. The issue arises during parsing of HTTP redirect responses, where the Location header value is limited by a 1024-byte buffer, falling short of the 8000-byte recommendation in RFC 9110. This results in potential truncation of long Location URLs, causing redirection to an unintended destination.
A remote, unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required (CVSSv3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting an HTTP response with an oversized Location header, the attacker tricks a vulnerable PHP client into following a truncated URL, potentially redirecting users to a malicious site and enabling phishing, data theft, or further compromise.
Advisories from PHP (GHSA-52jp-hrpf-2jff), Debian LTS, and NetApp recommend upgrading to patched versions: PHP 8.1.32, 8.2.28, 8.3.19, or 8.4.5. These updates increase the buffer size to align with RFC 9110 standards, preventing truncation during redirect parsing.
Details
- CWE(s)