CVE-2025-1861
📋 TL;DR
This CVE describes a buffer size limitation vulnerability in PHP's HTTP redirect parsing. When PHP processes HTTP redirect responses, it truncates location headers longer than 1024 bytes instead of the recommended 8000 bytes, potentially causing users to be redirected to incorrect or malicious URLs. This affects PHP applications that make HTTP requests and follow redirects.
💻 Affected Systems
- PHP
📦 What is this software?
Ontap by Netapp
Php by Php
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect users to malicious sites for phishing, malware distribution, or credential theft by crafting HTTP responses with specially truncated location headers.
Likely Case
Users could be redirected to unintended or malicious websites when interacting with PHP applications that follow HTTP redirects from untrusted sources.
If Mitigated
With proper input validation and URL verification, the risk is reduced to potential service disruption from incorrect redirects.
🎯 Exploit Status
Exploitation requires the PHP application to make HTTP requests to attacker-controlled servers or servers that can be manipulated to return malicious redirects.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 8.1.32, PHP 8.2.28, PHP 8.3.19, PHP 8.4.5
Vendor Advisory: https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff
Restart Required: Yes
Instructions:
1. Identify PHP version using 'php -v'. 2. Update PHP to patched version using your package manager (apt-get upgrade php, yum update php, etc.). 3. Restart web server (apache2 restart, systemctl restart nginx, etc.). 4. Verify update with 'php -v'.
🔧 Temporary Workarounds
Disable HTTP redirect following
allConfigure PHP HTTP clients to not automatically follow redirects, requiring manual handling of redirect responses.
For file_get_contents: stream_context_set_default(['http' => ['follow_location' => 0]])
For cURL: curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false)
Validate redirect URLs
allImplement custom redirect handling that validates location URLs before following them.
Manual implementation required - check URL length and domain before redirecting
🧯 If You Can't Patch
- Implement network controls to restrict outbound HTTP requests from PHP applications to trusted domains only
- Deploy WAF rules to detect and block malicious redirect patterns in HTTP responses
🔍 How to Verify
Check if Vulnerable:
Run 'php -v' and check if version falls within affected ranges: 8.1.0-8.1.31, 8.2.0-8.2.27, 8.3.0-8.3.18, 8.4.0-8.4.4Check Version:
php -v | grep -oP 'PHP \K[0-9]+\.[0-9]+\.[0-9]+'Verify Fix Applied:
Run 'php -v' and confirm version is 8.1.32+, 8.2.28+, 8.3.19+, or 8.4.5+📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in application logs
- HTTP requests to unexpected domains following redirects
Network Indicators:
- HTTP 3xx responses with location headers longer than 1024 bytes
- Redirects to suspicious or unexpected domains
SIEM Query:
source="php.log" AND ("Location:" AND length>1024) OR ("redirect" AND "unexpected")