CVE-2024-8925: Erroneous parsing of multipart form data

3.1 CVSS

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

Classification

CVE ID: CVE-2024-8925

CVSS Base Severity: LOW

CVSS Base Score: 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor: PHP Group

Product: PHP

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.52% (scored less or equal to compared to others)

EPSS Date: 2025-04-15 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8925
https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32

Timeline

2025-03-06 09:45:27 UTC
Tenable Plugins

Linux Distros Unpatched Vulnerability : CVE-2024-8925
2025-03-17 18:40:12 UTC
CVE

Erroneous parsing of multipart form data