Skip to main content
NetApp Knowledge Base

CVE 2025 1861 PHP vulnerability in ONTAP 9

  1. Last updated
  2. Save as PDF
Views:
4
Visibility:
Internal
Votes:
0
Category:
not set
Specialty:
not set
Last Updated:

Applies to

Issue

PHP has released a Security Advisory and patches for one or more CVEs. Your
product has been identified as using PHP based on Blackduck data.

Evaluation of your product is required within 72 hours to determine if the
vulnerable code is present and the product exposed. This information may be
distributed in a public security advisory prior to patches being released.

Corrective actions will be determined after the analysis.

The Severity is based on the CVSS mapping to BURT. More information is available
at: https://security.eng.netapp.com/docs...nal-procedures

Contact ng-psirt@netapp.com with any questions.
++++++++++++++++++++++++++

VULNERABILITY INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2025-1861
[https://nam04.safelinks.protection.o...3D&reserved=0]
https://access.redhat.com/security/cve/CVE-2025-1861
[https://nam04.safelinks.protection.o...3D&reserved=0]
https://security-tracker.debian.org/.../CVE-2025-1861
[https://nam04.safelinks.protection.o...3D&reserved=0]
https://github.com/php/php-src/secur...52jp-hrpf-2jff
[https://nam04.safelinks.protection.o...3D&reserved=0]

Note: the online version of the advisory may be updated with additional details
over time.

===============================
Known Affected Versions:
PHP versions prior to 8.1.32, prior to 8.2.28, prior to 8.3.19, and prior to
8.4.5

Fixed Versions:
PHP versions 8.1.32, 8.2.28, 8.3.19, and 8.4.5

Please check the provided links in the vulnerability information for further
details.
===============================
CVE-2025-1861
===============================
CVSS Score: 6.3 (MEDIUM)
(CVSS:4.0/AV:N/AC:L/AT[https://jira.ngage.netapp.com/images...SC:N/SI:N/SA:N)

NVD: In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.*
before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the
response to an HTTP request, there is currently limit on the location value size
caused by limited size of the location buffer to 1024. However as per RFC9110,
the limit is recommended to be 8000. This may lead to incorrect URL truncation
and redirecting to a wrong location.

Impact: Successful exploitation of this vulnerability could lead to disclosure
of sensitive information, addition or modification of data, or Denial of Service
(DoS).

++++++++++++++++++++++++++

Please use the following format to document the analysis and paste it into a new
comment below:



Analysis performed by: (username)

CVE: CVE-2025-1861
Exploitable: (YES/NO)
Assessment Summary: (description of how conclusion was drawn)
Mitigation: (If available)

/p>

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

This is an internal KB article and its content should not be copy/pasted and shared with people outside of NetApp. Always seek Duty Manager authentication of caller for password reset requests. If you need further assistance post a question in Knowledge Xchange