CVE-2025-1217: 
PHP vulnerability analysis and mitigation

CVE-2025-1217 is a vulnerability discovered in PHP versions 8.1. before 8.1.32, 8.2. before 8.2.28, 8.3. before 8.3.19, and 8.4. before 8.4.5. The vulnerability was disclosed on March 29, 2025, and involves incorrect parsing of folded headers in the HTTP request module when processing HTTP responses from servers (NVD, PHP Advisory).

The vulnerability stems from a flaw in the HTTP stream wrapper's header parser, which fails to properly handle folded headers. When processing HTTP responses, the parser incorrectly treats every newline as a header separator, instead of recognizing that header lines beginning with whitespace are continuations of the previous header. This behavior violates RFC9112#5.2 specifications. The vulnerability has been assigned a CVSS v4.0 score of 6.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A (NVD, PHP Advisory).

The vulnerability can lead to misinterpretation of HTTP response headers and incorrect usage of MIME types. Specifically, the STREAMNOTIFYMIMETYPEIS notification might report an incorrect MIME type if the content-type header is a folded header. Additionally, the $httpresponseheader array contains header continuation lines as they appear on-the-wire, requiring userland code to be aware of folded headers (PHP Advisory).

Users are recommended to upgrade to PHP versions 8.1.32, 8.2.28, 8.3.19, or 8.4.5 depending on their current PHP branch. These patched versions properly handle folded headers in HTTP responses (NVD, Debian Security).