In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

Streams HTTP wrapper does not fail for headers with invalid name and no colon

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* ...

Streams HTTP wrapper does not fail for headers with invalid name and no colon

Уязвимость интерпретатора языка программирования PHP, связанная с недостатками обработки заголовков HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Moderate: php security update

ELSA-2025-7431: php security update (MODERATE)

Security update for php7

Security update for php7

Security update for php8

Security update for php8

Important: php security update

Important: php:8.3 security update

ELSA-2025-7489: php security update (IMPORTANT)

ELSA-2025-7418: php:8.3 security update (IMPORTANT)

Moderate: php:8.2 security update

Moderate: php:8.1 security update

Moderate: php:8.2 security update