CVE-2025-1861: 
PHP vulnerability analysis and mitigation

A vulnerability was discovered in PHP versions 8.1. before 8.1.32, 8.2. before 8.2.28, 8.3. before 8.3.19, and 8.4. before 8.4.5, related to HTTP redirect handling. The issue stems from a limited location buffer size of 1024 bytes when parsing HTTP redirect responses, which is significantly lower than the RFC9110 recommended size of 8000 bytes (PHP Advisory, NVD).

The vulnerability (CVE-2025-1861) is classified as CWE-131 (Incorrect Calculation of Buffer Size). It has been assigned a CVSS 4.0 Base Score of 6.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The issue specifically relates to the HTTP wrapper's handling of redirect locations, where the current implementation limits the buffer size to 1024 bytes, while browsers typically allow around 2048 bytes (NVD, PHP Advisory).

The vulnerability can lead to incorrect URL truncation and redirection to wrong locations. When the location value exceeds the 1024-byte limit, critical information might be omitted, particularly from query parameters. In some cases, this could result in a denial of service condition for the remote site if the truncated URL generates errors (PHP Advisory).

No direct workarounds are available for this vulnerability. The recommended solution is to upgrade to the patched versions: PHP 8.1.32, 8.2.28, 8.3.19, or 8.4.5. Various Linux distributions have also released fixed packages, including Ubuntu and Debian (Ubuntu Security, Debian Security).