CVE-2025-1217
Description
RHSA-2026:2470: php:7.4 security update (Moderate)
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description php: Header parser of http stream wrapper does not handle folded headers Red Hat statement Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. CVSS v3: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)โฆ
Workaround
for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Description
php: Header parser of http stream wrapper does not handle folded headers
Red Hat statement
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
CVSS v3: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | php-0:8.3.19-1.el10_0 | RHSA-2025:7489 | 2025-05-13T00:00:00Z |
| Red Hat Enterprise Linux 8 | php:8.2-8100020250903052702.f7998665 | RHSA-2025:15687 | 2025-09-11T00:00:00Z |
| Red Hat Enterprise Linux 8 | php:7.4-8100020260119075152.f7998665 | RHSA-2026:2470 | 2026-02-10T00:00:00Z |
| Red Hat Enterprise Linux 9 | php:8.1-9050020250423093228.9 | RHSA-2025:4263 | 2025-04-28T00:00:00Z |
| Red Hat Enterprise Linux 9 | php:8.3-9060020250409105946.9 | RHSA-2025:7418 | 2025-05-13T00:00:00Z |
| Red Hat Enterprise Linux 9 | php-0:8.0.30-3.el9_6 | RHSA-2025:7431 | 2025-05-13T00:00:00Z |
| Red Hat Enterprise Linux 9 | php:8.2-9060020250428130539.9 | RHSA-2025:7432 | 2025-05-13T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | php | Out of support scope |
| Red Hat Enterprise Linux 7 | php | Out of support scope |
Apply commands
yum update -y php
# or:
dnf upgrade -y phpOS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rocky | 8 | fixed | |
| almalinux | 8 | fixed | php-pear-1.10.13-1.module_el8.10.0+3935+28808425.noarch.rpm |
| rhel | 9 | fixed | |
| sles | affected | | |
| rocky | 9 | fixed | |
| debian | bullseye | fixed | 7.4.33-1+deb11u8 |
| debian | forky | fixed | 8.4.5-1 |
| debian | sid | fixed | 8.4.5-1 |
| debian | trixie | fixed | 8.4.5-1 |
| debian | bookworm | fixed | 8.2.28-1~deb12u1 |
| almalinux | 9 | fixed | php-opcache-8.1.32-1.module_el9.5.0+156+9f1cd3fd.aarch64.rpm |
| rhel | 8 | fixed | |
References
- https://errata.rockylinux.org/RLSA-2025:15687
- https://errata.rockylinux.org/RLSA-2026:2470
- https://access.redhat.com/errata/RHSA-2025:4263
- https://access.redhat.com/errata/RHSA-2025:7418
- https://access.redhat.com/errata/RHSA-2025:7431
- https://access.redhat.com/errata/RHSA-2025:7432
- https://access.redhat.com/errata/RHSA-2026:2470
- https://bugzilla.redhat.com/2327960
- https://bugzilla.redhat.com/2328521
- https://bugzilla.redhat.com/2328523
- https://bugzilla.redhat.com/2355917
- https://bugzilla.redhat.com/2356041
- https://bugzilla.redhat.com/2356042
- https://bugzilla.redhat.com/2356043
- https://bugzilla.redhat.com/2356046
- https://bugzilla.redhat.com/2378689
- https://bugzilla.redhat.com/2378690
- https://bugzilla.redhat.com/2379792
- https://bugzilla.redhat.com/2425625
- https://bugzilla.redhat.com/2425626
- https://errata.almalinux.org/8/ALSA-2026-2470.html
- https://www.suse.com/security/cve/CVE-2025-1217.html
- https://errata.rockylinux.org/RLSA-2025:7431
- https://errata.rockylinux.org/RLSA-2025:4263
- https://security-tracker.debian.org/tracker/CVE-2025-1217
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.