CVEFinder.io

CVE-2025-1220

ℹ️ low
Summary

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.

CVSS Score
3.7
Low
EPSS Score
0.0
Exploit Probability
Published Date
2025-07-13
First Seen: 2026-01-05
Last Modified 2025-11-04
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE IDs (Weakness Types)
CWE-918

πŸ”— References 4

https://github.com/php/php-src/security/advisories/G...
Exploit Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/11/4
https://lists.debian.org/debian-lts-announce/2025/07...
https://github.com/php/php-src/security/advisories/G...
Exploit Vendor Advisory

πŸ“¦ Affected Products 4

Vendor Product Status Affected Versions
php php Affected
≥ 8.1.0 < 8.1.33
php php Affected
≥ 8.2.0 < 8.2.29
php php Affected
≥ 8.3.0 < 8.3.23
php php Affected
≥ 8.4.0 < 8.4.10

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-14177 ⚠️ high 7.5 0.0 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, ... 2025-12-27
CVE-2025-14178 πŸ”Ά medium 6.5 0.1 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, ... 2025-12-27
CVE-2025-14180 ⚠️ high 7.5 0.0 In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 w... 2025-12-27
CVE-2025-6491 πŸ”Ά medium 5.9 0.1 In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data... 2025-07-13
CVE-2025-1735 πŸ”Ά medium 5.9 0.1 In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functi... 2025-07-13
CVE-2024-11235 ⚠️ high 8.1 1.5 In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator a... 2025-04-04
These CVEs affect the same products