Red Hat Product Security issued an advisory (RHSA-2025:7315) for PHP on Red Hat Enterprise Linux 9, addressing nine distinct vulnerabilities: CVE-2024-2756 (host/secure cookie bypass due to partial fix of CVE-2022-31629), CVE-2024-3096 (password_verify function erroneously returning true, risking account takeover), CVE-2024-5458 (filter_var URL validation bypass), CVE-2024-8925 (erroneous multipart form data parsing), CVE-2024-8927 (cgi.force_redirect configuration bypass via environment variable collision), CVE-2024-9026 (PHP-FPM log manipulation), CVE-2024-8929 (heap buffer over-read in mysqlnd leaking partial heap content), CVE-2024-11233 (single byte overread in quoted-printable decode filter), and CVE-2024-11234 (CRLF injection via proxy configuration in stream context). The advisory provides updated PHP packages to remediate these issues. No CVSS scores are provided in the advisory, but the overall impact is rated moderate.

The vulnerabilities collectively could allow attackers to bypass security controls such as cookie protections and configuration restrictions, cause erroneous authentication results leading to account takeover risks, bypass input validation filters, manipulate logs, leak sensitive memory content, and inject CRLF sequences potentially affecting URI handling. These issues can undermine application security and data integrity on affected PHP installations.

Red Hat has released updated PHP packages for Red Hat Enterprise Linux 9 that address these vulnerabilities. Users should apply the official Red Hat update as described in the advisory RHSA-2025:7315 and the referenced article https://access.redhat.com/articles/11258 to remediate these issues. No additional mitigations are indicated beyond applying the official patch.