The Host header is defined in section 14.23 of RFC 2616 as:
Host = "Host" ":" host [ ":" port ] ; Section 3.2.2
Section 3.2.2 of RFC 2396 defines host
as:
hostport = host [ ":" port ]
host = hostname | IPv4address
hostname = *( domainlabel "." ) toplabel [ "." ]
domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum
toplabel = alpha | alpha *( alphanum | "-" ) alphanum
In other words, if $_SERVER['HTTP_HOST']
ever contains something other than a valid hostname there’s a bug in the web server.
So, while it’s true that the client can change the Host header to whatever they want, typically it must match the name of a virtual server, and even in a brain-dead catch-all configuration the web server should reject invalid hostnames.
tl;dr: no, it’s not a security risk.