{
  "threat_severity" : "Moderate",
  "public_date" : "2025-03-30T05:43:35Z",
  "bugzilla" : {
    "description" : "php: Streams HTTP wrapper does not fail for headers with invalid name and no colon",
    "id" : "2356042",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2356042"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.", "A flaw was found in PHP. This vulnerability allows applications to accept invalid headers via malformed HTTP headers missing a colon (:), which may confuse applications into processing them as valid headers." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:7489",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "php-0:8.3.19-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15687",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "php:8.2-8100020250903052702.f7998665"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-10T00:00:00Z",
    "advisory" : "RHSA-2026:2470",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "php:7.4-8100020260119075152.f7998665"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4263",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php:8.1-9050020250423093228.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:7418",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php:8.3-9060020250409105946.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:7431",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php-0:8.0.30-3.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:7432",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "php:8.2-9060020250428130539.9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-1734\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1734\nhttps://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44" ],
  "name" : "CVE-2025-1734",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}