CVE-2025-1736
Stream HTTP wrapper header check might omit basic auth headerIn PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
We have discovered 415,224 live websites that are affected by CVE-2025-1736.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 415,224 live websites (5.69% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 84 versions ( 16% of all versions) |
Common Weakness Enumeration
CWE-20 Improper Input ValidationDetails
- Published - Mar 30, 2025
- Updated - Nov 3, 2025
Credits
- Jakub Zelenka (reporter)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-1736 United States | 95,771 websites |
 France | 108,386 websites |
 Russia | 21,319 websites |
 Germany | 20,425 websites |
 Cyprus | 19,403 websites |
 India | 15,464 websites |
 Brazil | 12,695 websites |
 Netherlands | 12,086 websites |
 Australia | 9,028 websites |
 GB | 8,086 websites |
Website Distribution by TLD
Number of websites using CVE-2025-1736| .com | 168,395 websites |
| .fr | 45,134 websites |
| .org | 19,101 websites |
| .ru | 18,673 websites |
| .net | 12,607 websites |
| .com.br | 11,247 websites |
| .nl | 10,723 websites |
| .de | 7,480 websites |
| .be | 6,828 websites |
| .it | 6,459 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-1736
Top websites that are affected by CVE-2025-1736. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****************.com | United States | *,*** | |
| ********.********.it |  Italy | *,*** | |
| ****.*****.com | United States | *,*** | |
| ****.*******.org | United States | *,*** | |
| *******.com | Germany | *,*** | |
| ******.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| *****.com |  Japan | *,*** | |
| *******.com | United States | *,*** | |
| ***********************.com | United States | *,*** |
FAQ
CVE-2025-1736 is Improper Input Validation in PHP
A total of 415,224 websites have been identified as vulnerable to CVE-2025-1736, based on global website indexing conducted by WebTechSurvey.
The PHP is affected by the CVE-2025-1736 vulnerability.
PHP versions up to 8.4.5 are vulnerable to CVE-2025-1736.
CVE-2025-1736 is resolved in version 8.4.5 of PHP.