CVE-2024-8925: 
PHP vulnerability analysis and mitigation

CVE-2024-8925 affects PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, and 8.3.* before 8.3.12. The vulnerability involves erroneous parsing of multipart form data contained in HTTP POST requests, which could lead to legitimate data not being processed (PHP Advisory).

The vulnerability stems from a bug in the parsing of multipart form data contents, affecting both file and input form data. If a multipart form data payload contains a valid prefix X of the defined boundary B such that 5Kib < |X| < |B| < 8Kib, the logic responsible for parsing and storing the multipart payload fails to correctly extract the contents between two boundaries. The issue lies in the partial match handling in the php_ap_memstr function (PHP Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 MEDIUM by NVD and 3.1 LOW by PHP Group (NVD).

The vulnerability violates data integrity by allowing an attacker who can control the request boundary to exclude portions of legitimate data. When exploited, this could lead to malicious attackers being able to control part of the submitted data and exclude portions of other data, potentially leading to erroneous application behavior (PHP Advisory, NVD).

The vulnerability has been patched in PHP versions 8.1.30, 8.2.24, and 8.3.12. Users are advised to upgrade to these or later versions to mitigate the vulnerability (PHP Advisory).