{
  "threat_severity" : "Moderate",
  "public_date" : "2025-03-29T05:19:33Z",
  "bugzilla" : {
    "description" : "php: Header parser of http stream wrapper does not handle folded headers",
    "id" : "2355917",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2355917"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.", "A flaw was found in PHP. This vulnerability allows misinterpretation of HTTP response headers, potentially leading to incorrect usage of headers, MIME types, and other response attributes via incorrect parsing of folded headers in the HTTP request module." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:7489",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "php-0:8.3.19-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15687",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "php:8.2-8100020250903052702.f7998665"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-10T00:00:00Z",
    "advisory" : "RHSA-2026:2470",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "php:7.4-8100020260119075152.f7998665"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4263",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php:8.1-9050020250423093228.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:7418",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php:8.3-9060020250409105946.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:7431",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php-0:8.0.30-3.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:7432",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php:8.2-9060020250428130539.9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-1217\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1217\nhttps://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g" ],
  "name" : "CVE-2025-1217",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}