CVE-2025-1861
Publication date 14 March 2025
Last updated 18 July 2025
Ubuntu priority
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
Status
Package | Ubuntu Release | Status |
---|---|---|
php7.2 | 25.04 plucky | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Fixed 7.2.24-0ubuntu0.18.04.17+esm8
|
|
php5 | 25.04 plucky | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
14.04 LTS trusty |
Needs evaluation
|
|
php7.0 | 25.04 plucky | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
16.04 LTS xenial |
Fixed 7.0.33-0ubuntu0.16.04.16+esm15
|
|
php7.4 | 25.04 plucky | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal |
Fixed 7.4.3-4ubuntu2.29
|
|
php8.1 | 25.04 plucky | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy |
Fixed 8.1.2-1ubuntu2.21
|
|
20.04 LTS focal | Not in release | |
php8.3 | 25.04 plucky | Not in release |
24.04 LTS noble |
Fixed 8.3.6-0ubuntu0.24.04.4
|
|
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
php8.4 | 25.04 plucky |
Fixed 8.4.5-1
|
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
References
Related Ubuntu Security Notices (USN)
- USN-7400-1
- PHP vulnerabilities
- 31 March 2025
- USN-7645-1
- PHP vulnerabilities
- 17 July 2025