Buffer Limit Vulnerability in PHP Affects Multiple Versions
CVE-2025-1861
6.3MEDIUM
What is CVE-2025-1861?
A buffer limit vulnerability in PHP affects multiple versions prior to their respective updates. This issue stems from an inadequate size buffer for HTTP redirect locations, which is capped at 1024 bytes. According to RFC9110, the recommended limit is 8000 bytes. As a result, responses may truncate URLs incorrectly, leading to potential misdirection and redirection to unintended locations. Administrators are urged to update their PHP installations to mitigate these risks.
Affected Version(s)
PHP 8.1.*
PHP 8.1.* < 8.1.32
PHP 8.2.* < 8.2.28