fix: handle HTTP/2 responses without a reason phrase in CURLRequest

system/HTTP/CURLRequest.php

@@ -504,14 +504,14 @@ protected function setResponseHeaders(array $headers = [])
                     $this->response->setHeader($title, $value);
                 }
             } elseif (str_starts_with($header, 'HTTP')) {
-                preg_match('#^HTTP\/([12](?:\.[01])?) (\d+) (.+)#', $header, $matches);
+                preg_match('#^HTTP\/([12](?:\.[01])?) (\d+)(?: (.+))?#', $header, $matches);
 
                 if (isset($matches[1])) {
                     $this->response->setProtocolVersion($matches[1]);
                 }
 
                 if (isset($matches[2])) {
-                    $this->response->setStatusCode((int) $matches[2], $matches[3] ?? null);
+                    $this->response->setStatusCode((int) $matches[2], $matches[3] ?? '');
                 }
             }
         }

tests/system/Cookie/CookieTest.php

@@ -301,7 +301,7 @@ public function testArrayAccessOfCookie(): void
         $this->assertSame($cookie['path'], $cookie->getPath());
 
         $this->expectException('InvalidArgumentException');
-        $cookie['expiry']; // @phpstan-ignore expr.resultUnused
+        $cookie['expiry'];
     }
 
     public function testCannotSetPropertyViaArrayAccess(): void

tests/system/HTTP/CURLRequestTest.php

@@ -1041,6 +1041,23 @@ public function testResponseHeadersShortProtocol(): void
         $this->assertSame(235, $response->getStatusCode());
     }
 
+    public function testResponseHeadersWithoutReasonPhrase(): void
+    {
+        // HTTP/2 does not include a reason phrase per RFC 7540.
+        // curl synthesizes the status line as "HTTP/2 200" with no trailing reason.
+        $request = $this->getRequest([
+            'baseURI' => 'http://www.foo.com/api/v1/',
+            'delay'   => 100,
+        ]);
+
+        $request->setOutput("HTTP/2 200\x0d\x0aContent-Type: text/html\x0d\x0a\x0d\x0aHi there");
+        $response = $request->get('bogus');
+
+        $this->assertSame('2.0', $response->getProtocolVersion());
+        $this->assertSame(200, $response->getStatusCode());
+        $this->assertSame('OK', $response->getReasonPhrase());
+    }
+
     public function testPostFormEncoded(): void
     {
         $params = [

user_guide_src/source/changelogs/v4.7.1.rst

@@ -51,14 +51,15 @@ Bugs Fixed
 - **ContentSecurityPolicy:** Fixed a bug where custom CSP tags were not removed from generated HTML when CSP was disabled. The method now ensures that all custom CSP tags are removed from the generated HTML.
 - **ContentSecurityPolicy:** Fixed a bug where ``generateNonces()`` produces corrupted JSON responses by replacing CSP nonce placeholders with unescaped double quotes. The method now automatically JSON-escapes nonce attributes when the response Content-Type is JSON.
 - **ContentSecurityPolicy:** Fixed a bug where nonces generated by ``getScriptNonce()`` and ``getStyleNonce()`` were not added to the ``script-src-elem`` and ``style-src-elem`` directives, causing nonces to be silently ignored by browsers when those directives were present.
+- **CURLRequest:** Fixed a bug where HTTP/2 responses without a reason phrase (e.g., ``HTTP/2 200``) were not parsed correctly, causing the status code and protocol version to be ignored.
 - **Database:** Fixed a bug where ``BaseConnection::callFunction()`` could double-prefix already-prefixed function names.
 - **Database:** Fixed a bug where ``BasePreparedQuery::prepare()`` could mis-handle SQL containing colon syntax by over-broad named-placeholder replacement. It now preserves PostgreSQL cast syntax like ``::timestamp``.
 - **Model:** Fixed a bug where ``BaseModel::updateBatch()`` threw an exception when ``updateOnlyChanged`` was ``true`` and the index field value did not change.
 - **Model:** Fixed a bug where ``Model::chunk()`` ran an unnecessary extra database query at the end of iteration. ``chunk()`` now also throws ``InvalidArgumentException`` when called with a non-positive chunk size.
 - **Session:** Fixed a bug in ``MemcachedHandler`` where the constructor incorrectly threw an exception when ``savePath`` was not empty.
+- **Testing:** Fixed a bug in ``FeatureTestTrait::withRoutes()`` where invalid HTTP methods were not properly validated, thus passing them all to ``RouteCollection``.
 - **Toolbar:** Fixed a bug where the standalone toolbar page loaded from ``?debugbar_time=...`` was not interactive.
 - **Toolbar:** Fixed a bug in the Routes panel where only the first route parameter was converted to an input field on hover.
-- **Testing:** Fixed a bug in ``FeatureTestTrait::withRoutes()`` where invalid HTTP methods were not properly validated, thus passing them all to ``RouteCollection``.
 - **Validation:** Rule ``valid_cc_number`` now has the correct translation.
 - **Validation:** Fixed a bug where rules did not fire for array elements missing a key when using wildcard fields (e.g., ``contacts.friends.*.name``).
 - **View:** Fixed a bug where ``View`` would throw an error if the ``appOverridesFolder`` config property was not defined.