CVE-2025-1220

EUVD-2025-21274
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
phpCNA
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Affected Products (NVD)
VendorProductVersion
phpphp
8.1.0 ≤
𝑥
< 8.1.33
phpphp
8.2.0 ≤
𝑥
< 8.2.29
phpphp
8.3.0 ≤
𝑥
< 8.3.23
phpphp
8.4.0 ≤
𝑥
< 8.4.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
vulnerable
bullseye (security)
7.4.33-1+deb11u10
fixed
php8.2
bookworm
8.2.29-1~deb12u1
fixed
bookworm (security)
8.2.30-1~deb12u1
fixed
php8.4
forky
8.4.16-1
fixed
sid
8.4.16-1
fixed
trixie
8.4.11-1
fixed
trixie (security)
8.4.16-1~deb13u1
fixed
Common Weakness Enumeration
References
https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r
http://www.openwall.com/lists/oss-security/2025/07/11/4
https://lists.debian.org/debian-lts-announce/2025/07/msg00017.html
https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r