CVE CyberSecurity Database News

CVE-2025-1861 - PHP HTTP Redirect Vulnerability from Incorrect Location Buffer Size

Poster -

A recently disclosed security issue affects multiple PHP versions: 8.1 (before 8.1.32), 8.2 (before 8.2.28), 8.3 (before 8.3.19), and 8.4 (before 8.4.5). Known as CVE-2025-1861, this vulnerability deals with how PHP handles HTTP redirects. Specifically, the PHP core sets a strict 1024-byte buffer for redirect locations, while the HTTP standard RFC911 recommends up to 800 bytes. This gap can cause PHP to mishandle long Location: headers, possibly redirecting users to the wrong URL.

In this long read, I’ll explain this vulnerability in plain language, show source code snippets, discuss practical exploits, and share official references.

Quick Technical Summary

- Component: PHP HTTP stream wrapper / HTTP request handler

8.4.x before 8.4.5

- Bug: Location: header values longer than 1024 characters get truncated, may cause mis-redirection.

How PHP Handles HTTP Redirects

When you use something like file_get_contents() or curl in PHP to fetch a resource, PHP may automatically follow HTTP redirects by reading the Location: header. Internally, PHP reads this header into a buffer.

Simplified Example

file_get_contents("http://example.com/redirect";);

If http://example.com/redirect responds with

HTTP/1.1 302 Found
Location: http://very-long-domain.com/some/very/very/long/path?with=long&params=...

PHP is supposed to follow that Location: and fetch the real page.

The Vulnerable Behavior

Prior to the fixed versions, PHP allocates a fixed-size buffer (1024 bytes) to store the value of the Location: header. However, if the server sends a Location: header that's longer than this, PHP silently truncates it.

What Really Happens (Simplified C Source)

#define LOCATION_LEN 1024
char location[LOCATION_LEN];
/* imagine reading location header */
strncpy(location, value_from_header, LOCATION_LEN-1);
location[LOCATION_LEN-1] = '\';

So if the header is, for example, 140 characters, only the first 1024 are stored. The rest are dropped.

RFC Says...

> "The field value of Location is a URI-reference ... HTTP does not place a limit on the length of this field, but recipients SHOULD be able to handle values of at least 800 octets."
> — RFC911, Section 15.5.2

Possible Exploits

Let's see how this small oversight could be dangerous in practice.

Suppose you have a redirect script on your server like this

// redirect.php?url=http://safe-site.com/page
header("Location: " . $_GET['url']);
exit();

If an attacker can control the url parameter, and the server responds with a Location: longer than 1024 characters, only the first 1024 are respected by PHP clients. Let's say this is split as:

Next part, after byte 1024: evil-site.com (truncated, causing broken behavior)

- Or, attacker crafts the URL so first 1024 form a valid-looking domain, but cut at just the right place to redirect elsewhere.

Attacker-controlled redirection

<?php
// Malicious redirect server
$url = str_repeat('A', 1023) . "http://evil.com";;
header("Location: $url");

When the vulnerable PHP client processes this Location:, the real URL will be cut at 1024 bytes, maybe resulting in an HTTP request not where the server owner intended.

If the malicious part after 1024 bytes modifies the actual intent of the URL (such as dropping part of a path, query, etc.), you could end up at a site controlled by the attacker, or with broken/ambiguous behavior.

Real-world Impact

This bug in itself does not grant code execution or direct access, but PHP-based web applications that make HTTP requests to third parties, or that perform redirects relying on the integrity of the Location: header, could be abused:

Open Redirects: Attackers craft Location: headers to mislead users or scripts.

- Bypassing Security Controls: If your site tries to validate allowed redirect locations by prefix, truncation may allow bypasses.

Sample Fixed Code (after patch)

PHP patched the buffer size to accommodate RFC911 recommendations by increasing limit to at least 800 bytes. The details are in core source and reflected in the changelog ([see references below](#references)).

References

- Security Advisory CVE-2025-1861 (PHP.net)
- RFC911: HTTP Semantics
- PHP Changelog (8.1.32)
- Common Vulnerabilities and Exposures - CVE-2025-1861

Conclusion

CVE-2025-1861 shows how small implementation details—like buffer sizes—can have big security impacts. If you’re operating PHP servers dealing with external HTTP requests, you should update your PHP as soon as possible. Failing to do so could leave your applications open to subtle redirection attacks, misusing what is supposed to be a safe HTTP standard.

Stay updated, and always validate your inputs (and outputs)!


*This post is exclusive content summarizing and simplifying the technical aspects of CVE-2025-1861 for developers and sysadmins. For official information, always refer to vendor advisories and changelogs.*

Timeline

Published on: 03/30/2025 06:15:14 UTC
Last modified on: 05/23/2025 14:15:26 UTC