Platform
php
Component
php-src
Fixed in
8.1.33
8.2.29
8.3.23
8.4.10
CVE-2025-1220 is a security vulnerability affecting PHP versions 8.1.x, 8.2.x, 8.3.x, and 8.4.x prior to specific patch releases. The vulnerability stems from inadequate validation of hostnames passed to functions like fsockopen(), which can lead to unexpected behavior in functions like parse_url(). This can potentially bypass access controls and lead to security problems if user code relies on these functions for security checks.
The core of the vulnerability lies in the lack of null character validation within the hostname parameter of functions like fsockopen(). When a malicious hostname containing null characters is supplied, parse_url() may interpret it differently than intended. This can lead to bypasses of access control mechanisms that rely on the hostname for validation. An attacker could craft a malicious hostname to manipulate the URL parsing process, potentially gaining unauthorized access to resources or executing unintended code. While the CVSS score is LOW, the potential for bypasses in custom applications warrants careful attention and remediation.
This vulnerability was publicly disclosed on 2025-07-13. There is currently no indication of active exploitation campaigns targeting CVE-2025-1220. No public proof-of-concept (PoC) code has been released at the time of this writing. The vulnerability is not currently listed on the CISA KEV catalog. Due to the relatively low CVSS score and lack of public exploits, the probability of exploitation is considered low to medium.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1220 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 8.4.10 or later. If upgrading is not immediately feasible, consider implementing stricter input validation within your application code to sanitize hostnames before passing them to functions like fsockopen() and parseurl(). This should include explicit checks for null characters and other potentially malicious characters. Web Application Firewalls (WAFs) configured to inspect and filter HTTP headers could also provide a layer of defense, but should not be relied upon as the sole mitigation. After upgrading, confirm the fix by attempting to use a crafted hostname containing null characters with fsockopen() and verifying that parseurl() behaves as expected.
Update PHP to the latest available version. Ensure you update to versions 8.1.33, 8.2.29, 8.3.23, or 8.4.10 or higher, as appropriate for your PHP branch. This will correct the null byte termination vulnerability in the affected functions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1220 is a vulnerability in PHP 8.1.0-8.4.10 where inadequate hostname validation in functions like fsockopen() can lead to bypasses of access controls when using parse_url().
You are affected if you are running PHP versions 8.1.0 through 8.1.32, 8.2.0 through 8.2.28, 8.3.0 through 8.3.22, or 8.4.0 through 8.4.9.
Upgrade to PHP 8.4.10 or later. If upgrading is not possible, implement stricter input validation to sanitize hostnames before using fsockopen() and parse_url().
There is currently no indication of active exploitation campaigns targeting CVE-2025-1220.
Refer to the official PHP security advisory for details: [https://security.php.net/advisory/CVE-2025-1220](https://security.php.net/advisory/CVE-2025-1220)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.