PHP <8.1.32/8.2.28/8.3.19/8.4.5: Invalid Headers Treated as Valid
CVE-2025-1734 Published on March 30, 2025
Streams HTTP wrapper does not fail for headers with invalid name and no colon
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2025-1734
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-1734 are published in these products:
Affected Versions
PHP Group PHP:- Version 8.1.* and below 8.1.32 is affected.
- Version 8.2.* and below 8.2.28 is affected.
- Version 8.3.* and below 8.3.19 is affected.
- Version 8.4.* and below 8.4.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.