PHP up to 8.1.30/8.2.25/8.3.13 Proxy request smuggling

Summaryinfo

A vulnerability classified as problematic was found in PHP up to 8.1.30/8.2.25/8.3.13. This affects an unknown function of the component Proxy Handler. Executing a manipulation can lead to request smuggling. The identification of this vulnerability is CVE-2024-11234. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in PHP up to 8.1.30/8.2.25/8.3.13. It has been declared as problematic. This vulnerability affects an unknown function of the component Proxy Handler. The manipulation with an unknown input leads to a request smuggling vulnerability. The CWE definition for the vulnerability is CWE-444. The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

The advisory is shared for download at github.com. This vulnerability was named CVE-2024-11234 since 11/15/2024. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 09/13/2025).

The vulnerability scanner Nessus provides a plugin with the ID 211742 (Fedora 41 : php (2024-3891a08c9e)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 8.1.31, 8.2.26 or 8.3.14 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (211742) and CERT Bund (WID-SEC-2024-3519). Once again VulDB remains the best source for vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Fedora Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• NetApp Data ONTAP
• SUSE openSUSE
• RESF Rocky Linux
• Open Source PHP

Productinfo

Type

• Programming Language Software

Name

• PHP

Version

• 8.1.0
• 8.1.1
• 8.1.2
• 8.1.3
• 8.1.4
• 8.1.5
• 8.1.6
• 8.1.7
• 8.1.8
• 8.1.9
• 8.1.10
• 8.1.11
• 8.1.12
• 8.1.13
• 8.1.14
• 8.1.15
• 8.1.16
• 8.1.17
• 8.1.18
• 8.1.19
• 8.1.20
• 8.1.21
• 8.1.22
• 8.1.23
• 8.1.24
• 8.1.25
• 8.1.26
• 8.1.27
• 8.1.28
• 8.1.29
• 8.1.30
• 8.2.0
• 8.2.1
• 8.2.2
• 8.2.3
• 8.2.4
• 8.2.5
• 8.2.6
• 8.2.7
• 8.2.8
• 8.2.9
• 8.2.10
• 8.2.11
• 8.2.12
• 8.2.13
• 8.2.14
• 8.2.15
• 8.2.16
• 8.2.17
• 8.2.18
• 8.2.19
• 8.2.20
• 8.2.21
• 8.2.22
• 8.2.23
• 8.2.24
• 8.2.25
• 8.3.0
• 8.3.1
• 8.3.2
• 8.3.3
• 8.3.4
• 8.3.5
• 8.3.6
• 8.3.7
• 8.3.8
• 8.3.9
• 8.3.10
• 8.3.11
• 8.3.12
• 8.3.13

License

• open-source

Website

• Product: https://www.php.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion