REDHAT-BUG-2356046
First published: Sun Mar 30 2025(Updated: )
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PHP | >8.1.32 | |
| PHP | >8.2.28 | |
| PHP | >8.3.19 | |
| PHP | >8.4.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of REDHAT-BUG-2356046?
The severity of REDHAT-BUG-2356046 is considered high due to potential exploitation risks associated with HTTP redirect parsing.
How do I fix REDHAT-BUG-2356046?
To fix REDHAT-BUG-2356046, update PHP to version 8.1.32 or later, 8.2.28 or later, 8.3.19 or later, or 8.4.5 or later.
What versions of PHP are affected by REDHAT-BUG-2356046?
Versions of PHP affected by REDHAT-BUG-2356046 include all versions before 8.1.32, 8.2.28, 8.3.19, and 8.4.5.
What causes the vulnerability identified as REDHAT-BUG-2356046?
The vulnerability REDHAT-BUG-2356046 is caused by a limitation in the HTTP location value buffer size being restricted to 1024 bytes.
Is there a workaround for REDHAT-BUG-2356046?
Currently, there is no official workaround for REDHAT-BUG-2356046; upgrading to the patched versions is advised.
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2025-1861
- agent/severity
- agent/last-modified-date
- agent/references
- agent/source
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/php
- canonical/php