Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-pcmh-g36c-qc44

Опубликовано: 13 мар. 2025
Источник: github
Github: Не прошло ревью

Описание

Streams HTTP wrapper does not fail for headers with invalid name and no colon

The headers without colon are currently returned without in $http_response_header. It means that something like:

printf "HTTP/1.0 200 Ok\r\nContent-Type: text/html\r\nWrong-Header\r\nGood-Header: test\r\n\r\nbody\r\n" |nc -l 0.0.0.0 8000

results in following $http_response_header

array(4) { [0]=> string(15) "HTTP/1.0 200 Ok" [1]=> string(23) "Content-Type: text/html" [2]=> string(12) "Wrong-Header" [3]=> string(17) "Good-Header: test" }

In addition headers that contain a space in header name (before the colon) will also not fail which is not allowed by RFC.

Impact

This can allow issues in the application when parsing the array - e.g. application could consider it as a valid header or as a continuation of the previous one (currently folding header are misbehaving so there could be some logic for that in the application that could result in a security issue). So some sort of request smuggling could be possible in this case

Workarounds

Users can add a special handling of $http_response_header. No notification is triggered for this sort of header so no extra handling there is needed.

Пакеты

Наименование
Отсутствует
Затронутые версииВерсия исправления

< 8.1.32

8.1.32

Наименование
Отсутствует
Затронутые версииВерсия исправления

< 8.2.28

8.2.28

Наименование
Отсутствует
Затронутые версииВерсия исправления

< 8.3.18

8.3.19

Наименование
Отсутствует
Затронутые версииВерсия исправления

< 8.4.5

8.4.5

EPSS

Процентиль: 29%
0.00101
Низкий

CVE ID

CVE-2025-1734

Связанные уязвимости

ubuntu логотип

CVE-2025-1734

CVSS3: 5.3
ubuntu
7 месяцев назад

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

redhat логотип

CVE-2025-1734

CVSS3: 3.7
redhat
7 месяцев назад

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

nvd логотип

CVE-2025-1734

CVSS3: 5.3
nvd
7 месяцев назад

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

msrc логотип

CVE-2025-1734

CVSS3: 5.3
msrc
7 месяцев назад

Streams HTTP wrapper does not fail for headers with invalid name and no colon

debian логотип

CVE-2025-1734

CVSS3: 5.3
debian
7 месяцев назад

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* ...

EPSS

Процентиль: 29%
0.00101
Низкий

CVE ID

CVE-2025-1734