CVE-2025-1219

CWE-1116 CWE-20 — Improper Input Validation8 documents7 sources

Severity

6.3MEDIUM

EPSS

0.1%

top 79.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP

Timeline

PublishedMar 30

Latest updateMar 31

Description

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶NVDphp/php8.1.0 — 8.1.32+3

▶CVEListV5php_group/php8.1.* — 8.1.32+3

▶Debianphp7.4< 7.4.33-1+deb11u8

▶Debianphp8.2< 8.2.28-1~deb12u1

▶Debianphp8.4< 8.4.5-1+1

🔴Vulnerability Details

OSV

php7.4, php8.1, php8.3 vulnerabilities↗2025-03-31

▶

CVEList

libxml streams use wrong content-type header when requesting a redirected resource↗2025-03-30

▶

OSV

CVE-2025-1219: In PHP from 8↗2025-03-30

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2025-03-31

▶

Red Hat

php: libxml streams use wrong content-type header when requesting a redirected resource↗2025-03-30

▶

Microsoft

libxml streams use wrong content-type header when requesting a redirected resource↗2025-03-11

▶

Debian

CVE-2025-1219: php7.4 - In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3...↗2025

▶