php-src
Behoben in
8.1.33
8.2.29
8.3.23
8.4.10
CVE-2025-1220 is a security vulnerability affecting PHP versions 8.1.x, 8.2.x, 8.3.x, and 8.4.x prior to specific patch releases. The vulnerability stems from inadequate validation of hostnames passed to functions like fsockopen(), which can lead to unexpected behavior in functions like parse_url(). This can potentially bypass access controls and lead to security problems if user code relies on these functions for security checks.
The core of the vulnerability lies in the insufficient validation of hostnames provided to functions such as fsockopen() and subsequently processed by functions like parseurl(). An attacker can inject null characters into the hostname, causing parseurl() to misinterpret the hostname and potentially bypass security checks. This could lead to unauthorized access to resources, data exfiltration, or even remote code execution, depending on how the application utilizes the parsed URL components. The impact is amplified in applications that rely on user-supplied hostnames for critical operations, such as connecting to external services or accessing internal resources. While the CVSS score is LOW, the potential for bypass of access controls makes this a significant concern.
CVE-2025-1220 was publicly disclosed on 2025-07-13. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the vulnerability's nature suggests that it could be relatively straightforward to exploit once a suitable PoC is developed. The EPSS score is pending evaluation.
Applications built using PHP that rely on user-supplied hostnames for access control or resource identification are at risk. This includes web applications that connect to external services or databases using dynamically constructed URLs. Legacy PHP applications with outdated security practices are particularly vulnerable.
• php: Examine PHP application code for instances of fsockopen() and parse_url() where hostnames are used without proper validation. Look for patterns where user-supplied input is directly passed to these functions.
// Example of vulnerable code
$hostname = $_GET['hostname'];
$url = parse_url('http://' . $hostname);
$ip = $url['host'];• linux / server: Monitor PHP error logs (typically in /var/log/php_errors.log) for errors related to URL parsing or hostname resolution. Use journalctl -u php-fpm to filter for relevant errors.
• generic web: Use curl to test endpoints that accept hostnames as parameters. Attempt to inject null characters into the hostname and observe the response. curl -H "Host: example.com%00" http://your-application/
disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-1220 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 8.4.10 or later. If upgrading immediately is not feasible, consider implementing input validation on the application side to sanitize hostnames before passing them to PHP functions. This could involve stripping null characters or enforcing strict hostname formats. Web Application Firewalls (WAFs) can also be configured to filter out requests containing suspicious hostnames. After upgrading, confirm the fix by attempting to connect to a server using a hostname containing null characters; the connection should fail with an appropriate error.
Actualice PHP a la última versión disponible. Asegúrese de actualizar a las versiones 8.1.33, 8.2.29, 8.3.23 o 8.4.10 o superior, según corresponda a su rama de PHP. Esto corregirá la vulnerabilidad de terminación de byte nulo en las funciones afectadas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-1220 is a vulnerability in PHP 8.1.0-8.4.10 where inadequate hostname validation in functions like fsockopen() can lead to bypasses of access controls when using parse_url().
You are affected if you are running PHP versions 8.1.0 through 8.1.32, 8.2.0 through 8.2.28, 8.3.0 through 8.3.22, or 8.4.0 through 8.4.9.
Upgrade to PHP 8.4.10 or later. If upgrading is not possible, implement stricter input validation to sanitize hostnames before using fsockopen() and parse_url().
There is currently no indication of active exploitation campaigns targeting CVE-2025-1220.
Refer to the official PHP security advisory for details: [https://security.php.net/advisory/CVE-2025-1220](https://security.php.net/advisory/CVE-2025-1220)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.