SB2025031234 - Multiple vulnerabilities in PHP
Published: March 12, 2025 Updated: March 20, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2024-11235)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in the reference counter within php_request_shutdown function. A remote attacker can perform a denial of service (DoS) attack.
2) Resource management error (CVE-ID: CVE-2025-1219)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists in libxml streams due to usage of an incorrect Content-Type header when requesting a redirected resource. A remote attacker can leverage this vulnerability to perform content spoofing or XSS attacks.
3) Improper Authentication (CVE-ID: CVE-2025-1736)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in Stream HTTP wrapper header check, which can omit Basic authentication header. A remote attacker can bypass authentication mechanisms that rely on Basic authentication.
4) Input validation error (CVE-ID: CVE-2025-1861)
The vulnerability allows a remote attacker to redirect the application to a malicious URL.
The vulnerability exists due to insufficient validation of user-supplied input. The Stream HTTP wrapper truncates redirect location to 1024 bytes, which can lead to the application being redirected to a wrong URL.
5) Input validation error (CVE-ID: CVE-2025-1734)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the Streams HTTP wrapper does not fail for headers without a colon. A remote attacker can potentially perform header injection, which can lead to a spoofing attack.
6) Input validation error (CVE-ID: CVE-2025-1217)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to Header parser of HTTP Stream wrapper does not handle folded headers. A remote attacker can perform spoofing attack by manipulating HTTP headers.
Remediation
Install update from vendor's website.
References
- https://www.php.net/archive/2025.php#2025-03-13
- https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477
- https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc
- https://github.com/php/php-src/security/advisories/GHSA-hgf54-96fm-v528
- https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff
- https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44
- https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g