CVE-2025-1220
βΉοΈ lowSummary
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
CVSS Score
3.7
Low
EPSS Score
0.0
Exploit Probability
Published Date
2025-07-13
First Seen: 2026-01-05
π Relative Risk Intelligence
This CVE is Lower Risk - more severe than 4.0% of all 329,456 vulnerabilities in our database.
#316,364
Below average severity
Severity Percentile
π― CISA SSVC Assessment Updated: Jul 14, 2025
π Exploitation Status
Poc
Proof-of-concept available
βοΈ Automatable
NO
Requires human interaction
π₯ Technical Impact
Partial
Limited system impact
π Discovered By
Jihwan Kim (reporter)
SSVC data provided by
CISA
Last Modified
2025-11-04
Source
NVD π
CVSS Vector 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE IDs (Weakness Types)