CVE-2025-1861
Published: 30 March 2025
Summary
CVE-2025-1861 is a medium-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Php Php. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an incorrect buffer size calculation (CWE-131) in PHP versions 8.1 before 8.1.32, 8.2 before 8.2.28, 8.3 before 8.3.19, and 8.4 before 8.4.5. When the PHP HTTP client parses a Location header in a redirect response, it uses a fixed 1024-byte buffer instead of the 8000-byte limit recommended by RFC 9110, which can cause the URL to be truncated incorrectly and the client to follow a malformed or attacker-controlled destination.
An unauthenticated remote attacker who can influence or observe an HTTP redirect response seen by a vulnerable PHP application may be able to cause the client to connect to an unintended host or path, resulting in limited information disclosure or unintended request behavior.
The referenced GitHub security advisory and vendor notices direct users to upgrade to the fixed releases listed above; Debian and NetApp have issued corresponding package updates that apply the same patches.
The associated EPSS score has remained flat at a low value of 0.0103 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-15117
Vulnerability details
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by…
more
limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in PHP's HTTP redirect response parsing (buffer truncation of Location header) allows a remote attacker to force a vulnerable PHP client to follow a crafted/truncated URL to a malicious destination, directly enabling exploitation for client execution and subsequent compromise (e.g., phishing or data theft).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-1861 by requiring timely remediation of the buffer size flaw in vulnerable PHP versions through vendor patches that enlarge the Location header buffer.
Identifies systems running vulnerable PHP versions affected by CVE-2025-1861 via automated vulnerability scanning against known CVEs and advisories.
Requires validation of HTTP Location header inputs to prevent truncation from oversized values exceeding the 1024-byte buffer limit in vulnerable PHP.