USN-7400-1: PHP vulnerabilities
First published: Mon Mar 31 2025(Updated: )
It was discovered that PHP incorrectly handle certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2024-11235) It was discovered that PHP incorrectly handle certain folded headers. An attacker could possibly use this issue to cause a crash or execute arbritrary code. (CVE-2025-1217) It was discovered that PHP incorrectly handled certain headers. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS Ubuntu 24.10, and Ubuntu 24.04 LTS. (CVE-2025-1219) It was discovered that PHP incorrectly handle certain headers with invalid name and no colon. An attacker could possibly use this issue to confuse applications into accepting invalid headers causing code injection. (CVE-2025-1734) It was discovered that PHP incorrectly handled certain headers. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.10, and Ubuntu 24.04 LTS. (CVE-2025-1736) It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2025-1861)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/libapache2-mod-php8.3 | <8.3.11-0ubuntu0.24.10.5 | 8.3.11-0ubuntu0.24.10.5 |
| Ubuntu | =24.10 | |
| All of | ||
| ubuntu/php8.3 | <8.3.11-0ubuntu0.24.10.5 | 8.3.11-0ubuntu0.24.10.5 |
| Ubuntu | =24.10 | |
| All of | ||
| ubuntu/php8.3-cgi | <8.3.11-0ubuntu0.24.10.5 | 8.3.11-0ubuntu0.24.10.5 |
| Ubuntu | =24.10 | |
| All of | ||
| ubuntu/php8.3-cli | <8.3.11-0ubuntu0.24.10.5 | 8.3.11-0ubuntu0.24.10.5 |
| Ubuntu | =24.10 | |
| All of | ||
| ubuntu/php8.3-fpm | <8.3.11-0ubuntu0.24.10.5 | 8.3.11-0ubuntu0.24.10.5 |
| Ubuntu | =24.10 | |
| All of | ||
| ubuntu/libapache2-mod-php8.3 | <8.3.6-0ubuntu0.24.04.4 | 8.3.6-0ubuntu0.24.04.4 |
| Ubuntu | =24.04 | |
| All of | ||
| ubuntu/php8.3 | <8.3.6-0ubuntu0.24.04.4 | 8.3.6-0ubuntu0.24.04.4 |
| Ubuntu | =24.04 | |
| All of | ||
| ubuntu/php8.3-cgi | <8.3.6-0ubuntu0.24.04.4 | 8.3.6-0ubuntu0.24.04.4 |
| Ubuntu | =24.04 | |
| All of | ||
| ubuntu/php8.3-cli | <8.3.6-0ubuntu0.24.04.4 | 8.3.6-0ubuntu0.24.04.4 |
| Ubuntu | =24.04 | |
| All of | ||
| ubuntu/php8.3-fpm | <8.3.6-0ubuntu0.24.04.4 | 8.3.6-0ubuntu0.24.04.4 |
| Ubuntu | =24.04 | |
| All of | ||
| ubuntu/libapache2-mod-php7.4 | <8.1.2-1ubuntu2.21 | 8.1.2-1ubuntu2.21 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/libapache2-mod-php8.0 | <8.1.2-1ubuntu2.21 | 8.1.2-1ubuntu2.21 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/libapache2-mod-php8.1 | <8.1.2-1ubuntu2.21 | 8.1.2-1ubuntu2.21 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/php8.1 | <8.1.2-1ubuntu2.21 | 8.1.2-1ubuntu2.21 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/php8.1-cgi | <8.1.2-1ubuntu2.21 | 8.1.2-1ubuntu2.21 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/php8.1-cli | <8.1.2-1ubuntu2.21 | 8.1.2-1ubuntu2.21 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/php8.1-fpm | <8.1.2-1ubuntu2.21 | 8.1.2-1ubuntu2.21 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/libapache2-mod-php7.4 | <7.4.3-4ubuntu2.29 | 7.4.3-4ubuntu2.29 |
| Ubuntu | =20.04 | |
| All of | ||
| ubuntu/php7.4 | <7.4.3-4ubuntu2.29 | 7.4.3-4ubuntu2.29 |
| Ubuntu | =20.04 | |
| All of | ||
| ubuntu/php7.4-cgi | <7.4.3-4ubuntu2.29 | 7.4.3-4ubuntu2.29 |
| Ubuntu | =20.04 | |
| All of | ||
| ubuntu/php7.4-cli | <7.4.3-4ubuntu2.29 | 7.4.3-4ubuntu2.29 |
| Ubuntu | =20.04 | |
| All of | ||
| ubuntu/php7.4-fpm | <7.4.3-4ubuntu2.29 | 7.4.3-4ubuntu2.29 |
| Ubuntu | =20.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2025-1734
- https://ubuntu.com/security/CVE-2025-1219
- https://ubuntu.com/security/CVE-2025-1736
- https://ubuntu.com/security/CVE-2025-1861
- https://ubuntu.com/security/CVE-2025-1217
- https://ubuntu.com/security/CVE-2024-11235
- https://launchpad.net/ubuntu/+source/php8.3/8.3.11-0ubuntu0.24.10.5
- https://launchpad.net/ubuntu/+source/php8.3/8.3.6-0ubuntu0.24.04.4
- https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.21
- https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.29
- https://ubuntu.com/security/notices/USN-7400-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the severity of USN-7400-1?
The severity of USN-7400-1 is currently classified as critical due to the potential for exploitation that may lead to crashes or arbitrary code execution.
How do I fix USN-7400-1?
To fix USN-7400-1, update your PHP packages to the recommended version 8.3.11-0ubuntu0.24.10.5 or later for Ubuntu 24.10.
Which versions of PHP are affected by USN-7400-1?
USN-7400-1 affects multiple PHP packages including libapache2-mod-php, php, php-cgi, php-cli, and php-fpm in different versions up to 8.3.6.
What products are impacted by USN-7400-1?
The affected products include Ubuntu 24.10, 24.04, and 22.04 running various versions of PHP.
Is there a workaround for USN-7400-1?
There is no official workaround for USN-7400-1; updating to the patched version is the recommended solution.
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/title
- agent/weakness
- agent/references
- agent/source
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- agent/description
- agent/type
- agent/event
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu
- version/ubuntu/24.10
- version/ubuntu/24.04
- version/ubuntu/22.04
- version/ubuntu/20.04