CVE-2025-1220

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
phpCNA
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
VendorProductVersion
phpphp
8.1.0 ≤
𝑥
< 8.1.33
phpphp
8.2.0 ≤
𝑥
< 8.2.29
phpphp
8.3.0 ≤
𝑥
< 8.3.23
phpphp
8.4.0 ≤
𝑥
< 8.4.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
vulnerable
bullseye (security)
7.4.33-1+deb11u9
fixed
php8.2
bookworm
vulnerable
bookworm (security)
8.2.29-1~deb12u1
fixed
php8.4
forky
8.4.11-1
fixed
sid
8.4.11-1
fixed
trixie
8.4.11-1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r
https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r