Red Hat Security Advisory: php:8.3 security update
Multiple security vulnerabilities affecting PHP 8.3 have been addressed in a Red Hat Enterprise Linux 9 update. These include issues in the HTTP stream wrapper such as improper handling of folded headers, omission of basic auth headers, acceptance of invalid headers, incorrect content-type headers on redirects, and truncation of redirect locations. Additionally, a use-after-free vulnerability in php_request_shutdown was fixed. The update is rated as Important by Red Hat Product Security.
AI Analysis
Technical Summary
This Red Hat security advisory addresses six vulnerabilities in PHP 8.3, including CVE-2024-11235 (use-after-free in php_request_shutdown), CVE-2025-1217 (improper handling of folded headers in HTTP stream wrapper), CVE-2025-1736 (omission of basic auth header in HTTP stream wrapper), CVE-2025-1734 (failure to reject headers with invalid name and no colon), CVE-2025-1219 (incorrect content-type header in libxml streams on redirected resources), and CVE-2025-1861 (truncation of redirect location to 1024 bytes in HTTP stream wrapper). These issues impact the HTTP stream wrapper and related components in PHP 8.3 and have been fixed in the update provided for Red Hat Enterprise Linux 9. The advisory references Red Hat's errata RHSA-2025:7418 and provides links for applying the update.
Potential Impact
The vulnerabilities could lead to improper handling of HTTP headers, potentially causing authentication bypass, incorrect content handling, or memory corruption (use-after-free) in PHP applications. The use-after-free vulnerability (CVE-2024-11235) is particularly critical as it may lead to memory corruption. However, no known exploits in the wild have been reported. The overall security impact is rated as Important by Red Hat, indicating a high risk if unpatched.
Mitigation Recommendations
A security update for the php:8.3 module is available for Red Hat Enterprise Linux 9 and its variants. Users should apply the update as per Red Hat's guidance in article https://access.redhat.com/articles/11258 to remediate these vulnerabilities. The vendor advisory confirms that the update fixes these issues. No additional mitigation steps are specified beyond applying the official patch.
Red Hat Security Advisory: php:8.3 security update
Description
Multiple security vulnerabilities affecting PHP 8.3 have been addressed in a Red Hat Enterprise Linux 9 update. These include issues in the HTTP stream wrapper such as improper handling of folded headers, omission of basic auth headers, acceptance of invalid headers, incorrect content-type headers on redirects, and truncation of redirect locations. Additionally, a use-after-free vulnerability in php_request_shutdown was fixed. The update is rated as Important by Red Hat Product Security.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This Red Hat security advisory addresses six vulnerabilities in PHP 8.3, including CVE-2024-11235 (use-after-free in php_request_shutdown), CVE-2025-1217 (improper handling of folded headers in HTTP stream wrapper), CVE-2025-1736 (omission of basic auth header in HTTP stream wrapper), CVE-2025-1734 (failure to reject headers with invalid name and no colon), CVE-2025-1219 (incorrect content-type header in libxml streams on redirected resources), and CVE-2025-1861 (truncation of redirect location to 1024 bytes in HTTP stream wrapper). These issues impact the HTTP stream wrapper and related components in PHP 8.3 and have been fixed in the update provided for Red Hat Enterprise Linux 9. The advisory references Red Hat's errata RHSA-2025:7418 and provides links for applying the update.
Potential Impact
The vulnerabilities could lead to improper handling of HTTP headers, potentially causing authentication bypass, incorrect content handling, or memory corruption (use-after-free) in PHP applications. The use-after-free vulnerability (CVE-2024-11235) is particularly critical as it may lead to memory corruption. However, no known exploits in the wild have been reported. The overall security impact is rated as Important by Red Hat, indicating a high risk if unpatched.
Mitigation Recommendations
A security update for the php:8.3 module is available for Red Hat Enterprise Linux 9 and its variants. Users should apply the update as per Red Hat's guidance in article https://access.redhat.com/articles/11258 to remediate these vulnerabilities. The vendor advisory confirms that the update fixes these issues. No additional mitigation steps are specified beyond applying the official patch.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2025:7418
- Cve Count
- 6
- Additional Cves
- ["CVE-2025-1217","CVE-2025-1219","CVE-2025-1734","CVE-2025-1736","CVE-2025-1861"]
- Cvss Version
- null
Threat ID: 6a4049e927e9c79719835d08
Added to database: 06/27/2026, 22:08:41 UTC
Last enriched: 06/27/2026, 22:38:11 UTC
Last updated: 06/30/2026, 04:51:10 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.