CVE-2025-1861 is a vulnerability identified in the PHP programming language, specifically affecting versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5. The issue arises from an incorrect calculation of the buffer size allocated for the HTTP Location header when PHP parses HTTP redirect responses. PHP currently limits the Location header buffer size to 1024 bytes, which is significantly smaller than the 8000-byte limit recommended by RFC9110. This limitation can cause truncation of the redirect URL if the Location header exceeds 1024 bytes, leading to incorrect URL redirection. Such truncation might redirect users to unintended or malicious URLs, potentially facilitating phishing attacks, session hijacking, or other redirect-based exploits. The vulnerability is classified under CWE-131 (Incorrect Calculation of Buffer Size) and has a CVSS 4.0 base score of 6.3, indicating medium severity. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), no user interaction (UI:N), and partial confidentiality impact (VC:L). No known exploits have been reported in the wild at the time of publication. The vulnerability affects web applications and services that rely on PHP for HTTP redirect handling, especially those that process user-supplied or third-party URLs in redirects. This flaw could be exploited by attackers to manipulate redirect destinations, potentially leading to security issues such as phishing or redirect loops.

For European organizations, this vulnerability poses a risk primarily to web applications and services that utilize affected PHP versions for handling HTTP redirects. Incorrect URL truncation could lead to users being redirected to malicious sites, increasing the risk of phishing attacks, credential theft, or malware distribution. Organizations in sectors with high web traffic, such as e-commerce, finance, government, and healthcare, may face reputational damage and regulatory scrutiny if exploited. The partial confidentiality impact suggests some information disclosure risk, though integrity and availability impacts are minimal. Since exploitation requires no authentication or user interaction, attackers can remotely trigger the vulnerability, increasing its threat potential. The medium severity rating indicates a moderate risk but warrants timely remediation to prevent exploitation. Additionally, the discrepancy with RFC9110 compliance could affect interoperability and user trust in web services. Overall, the vulnerability could undermine secure web navigation and user trust in affected European digital services.

European organizations should promptly upgrade PHP to the fixed versions: 8.1.32 or later, 8.2.28 or later, 8.3.19 or later, and 8.4.5 or later once available. Until patches are applied, organizations can implement web application firewall (WAF) rules to monitor and block HTTP responses with excessively long Location headers exceeding 1024 bytes. Application-level input validation should be enhanced to restrict or sanitize redirect URLs to safe, expected domains and lengths. Security teams should audit existing redirect implementations to identify any reliance on long Location headers and refactor them to comply with RFC9110 recommendations. Logging and monitoring should be increased for unusual redirect patterns or user complaints about unexpected redirects. Additionally, educating developers about proper buffer size handling and adherence to RFC standards can prevent similar issues. Organizations should also review third-party PHP modules or frameworks for related vulnerabilities. Coordinated vulnerability management and incident response plans should be updated to address potential exploitation scenarios involving redirect manipulation.