Streams HTTP wrapper does not fail for headers with invalid name and no colon

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

Streams HTTP wrapper does not fail for headers with invalid name and no colon

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* ...

Уязвимость интерпретатора языка программирования PHP, связанная с недостатками обработки заголовков HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

ELSA-2025-7431: php security update (MODERATE)

Security update for php7

Security update for php7

Security update for php8

Security update for php8

Important: php security update

ELSA-2025-7489: php security update (IMPORTANT)

ELSA-2025-7418: php:8.3 security update (IMPORTANT)

ELSA-2025-7432: php:8.2 security update (MODERATE)

ELSA-2025-4263: php:8.1 security update (MODERATE)

ELSA-2025-15687: php:8.2 security update (MODERATE)

Множественные уязвимости php 8.3

Множественные уязвимости php 8.2