CVE-2016-5385

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

Published: Jul 19, 2016
Updated: Nov 9, 2025
CVE: CVE-2016-5385
GHSA: GHSA-m6ch-gg5f-wxx3
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-601

Affected Software
References

Software	From	Fixed in
oracle / enterprise_manager_ops_center	12.2.2	12.2.2.x
oracle / enterprise_manager_ops_center	12.3.2	12.3.2.x
oracle / communications_user_data_repository	10.0.1	10.0.1.x
oracle / linux	6	6.x
oracle / linux	7	7.x
oracle / communications_user_data_repository	12.0.0	12.0.0.x
oracle / communications_user_data_repository	10.0.0	10.0.0.x
fedoraproject / fedora	24	24.x
fedoraproject / fedora	23	23.x
hp / storeever_msl6480_tape_library_firmware	-	5.09.x
hp / system_management_homepage	-	7.5.5.0.x
php / php	5.6.0	5.6.24
php / php	5.5.0	5.5.38
php / php	7.0.0	7.0.8.x
redhat / enterprise_linux_desktop	6.0	6.0.x
redhat / enterprise_linux_server	6.0	6.0.x
redhat / enterprise_linux_workstation	6.0	6.0.x
debian / debian_linux	8.0	8.0.x
opensuse / leap	42.1	42.1.x
drupal / drupal	8.0.0	8.1.7
guzzlehttp / guzzle	6	6.2.1
guzzlehttp / guzzle	4.0.0-rc2	4.2.4
guzzlehttp / guzzle	5	5.3.1

Vulnerability Database

300,445

CVE-2016-5385

Deep Security Visibility Without the Complexity