CVE-2024-11234 MEDIUM

CVE-2024-11234: Configuring a proxy in a stream context might allow for CRLF injection in URIs

Vendor Php Group
Product PHP
Weakness CWE-20 · Input validation
Published November 24, 2024
Last update November 3, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

Key dates

02Disclosure timeline

November 24, 2024 CVE published
November 3, 2025 Record updated