Stream HTTP wrapper truncate redirect location to 1024 bytes

Kurzinfo

Veroeffentlicht: 2025-03-13 17:44 UTC Importiert: 2026-05-14 18:44 UTC Quelle-ID: php_sec uid_hash: d90a3d676f237274a4ae9a842949001fb17b153054b64caff9e8aa404f5a8fb9
PHP Security (php/php-src GHSA)

Inhalt

There is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per https://www.rfc-editor.org/rfc/rfc9110#name-uri-references , the limit is recommended to 8000. The browser limit is usually around 2048 so 1024 is really too low and it might have a real impact in practice.

Impact

The URI truncation might result in omitting some critical information (e.g. from the query) or even redirection to other resources. It could even result in DOS of the remote site if the trucated URL results in error.

Workarounds

There is no real workaround for this

Verknuepfte CVEs

CVE-ID Severity (CVE.org) CVSS (CVE.org) EPSS EPSS-% Veroeffentlicht (CVE.org)

CVE-2025-1861

 - - - -

Quellen-Details

Bezeichnung Name Kategorie Tags Zielgruppe Sprache Feed-URL
PHP Security (php/php-src GHSA)

php_sec

 vendor_advisory php, runtime - de https://github.com/php/php-src/security/advisories
Zurueck zur Eintrags-Liste