CVE-2025-1736: 
PHP vulnerability analysis and mitigation

CVE-2025-1736 affects PHP versions from 8.1. before 8.1.32, 8.2. before 8.2.28, 8.3. before 8.3.19, and 8.4. before 8.4.5. The vulnerability involves insufficient validation of end-of-line characters when handling user-supplied headers, which can result in certain headers being prevented from being sent or being misinterpreted (PHP Advisory).

The vulnerability stems from a header check implementation in the checkhasheader function that fails to properly verify \r characters, only checking for \n in header values. This can be exploited when header values come from user input, such as cookie values. For example, an attacker could inject a payload like Cookie: x=y\nauhtorization:x\r\n which could interfere with header processing. The vulnerability has been assigned a CVSS 4.0 Base Score of 6.3 (Medium) with vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (NVD).

The primary impact of this vulnerability is the potential prevention of authorization headers from being sent, which could lead to denial of service conditions. Additionally, the vulnerability can affect other headers such as user-agent and similar checked headers, potentially leading to security implications through header misinterpretation (PHP Advisory).

The vulnerability has been patched in PHP versions 8.1.32, 8.2.28, 8.3.19, and 8.4.5. Users should upgrade to these patched versions to mitigate the vulnerability (NVD).