Cyber Resilience

CVE-2025-1861

Medium

Published: 30 March 2025

Published
30 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0103 77.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1861 is a medium-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Php Php. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an incorrect buffer size calculation (CWE-131) in PHP versions 8.1 before 8.1.32, 8.2 before 8.2.28, 8.3 before 8.3.19, and 8.4 before 8.4.5. When the PHP HTTP client parses a Location header in a redirect response, it uses a fixed 1024-byte buffer instead of the 8000-byte limit recommended by RFC 9110, which can cause the URL to be truncated incorrectly and the client to follow a malformed or attacker-controlled destination.

An unauthenticated remote attacker who can influence or observe an HTTP redirect response seen by a vulnerable PHP application may be able to cause the client to connect to an unintended host or path, resulting in limited information disclosure or unintended request behavior.

The referenced GitHub security advisory and vendor notices direct users to upgrade to the fixed releases listed above; Debian and NetApp have issued corresponding package updates that apply the same patches.

The associated EPSS score has remained flat at a low value of 0.0103 with no observed rise after disclosure.

EU & UK References

Vulnerability details

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by…

more

limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability in PHP's HTTP redirect response parsing (buffer truncation of Location header) allows a remote attacker to force a vulnerable PHP client to follow a crafted/truncated URL to a malicious destination, directly enabling exploitation for client execution and subsequent compromise (e.g., phishing or data theft).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1736Same product: Netapp Ontap
CVE-2025-0725Same product class: NAS / storage appliance
CVE-2024-56171Same product: Netapp Ontap
CVE-2025-27423Same product class: NAS / storage appliance
CVE-2025-26512Same product class: NAS / storage appliance
CVE-2025-24928Same product: Netapp Ontap
CVE-2025-26465Same product: Netapp Ontap
CVE-2025-0411Same product class: NAS / storage appliance
CVE-2024-54085Same product class: NAS / storage appliance
CVE-2025-1215Same product class: NAS / storage appliance

Affected Assets

php
php
8.1.0 — 8.1.31 · 8.2.0 — 8.2.26 · 8.3.0 — 8.3.14
netapp
ontap
9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-1861 by requiring timely remediation of the buffer size flaw in vulnerable PHP versions through vendor patches that enlarge the Location header buffer.

detect

Identifies systems running vulnerable PHP versions affected by CVE-2025-1861 via automated vulnerability scanning against known CVEs and advisories.

prevent

Requires validation of HTTP Location header inputs to prevent truncation from oversized values exceeding the 1024-byte buffer limit in vulnerable PHP.

References