CVE-2025-1220: In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the…

medium5.3CVSS 3.1

AVNACLPRNUINSUCLINAN

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.

Affected

28 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	php7.4	< php7.4 7.4.33-1+deb11u9 (bullseye)	php7.4 7.4.33-1+deb11u9 (bullseye)
debian	php8.2	< php7.4 7.4.33-1+deb11u9 (bullseye)	php7.4 7.4.33-1+deb11u9 (bullseye)
debian	php8.4	< php7.4 7.4.33-1+deb11u9 (bullseye)	php7.4 7.4.33-1+deb11u9 (bullseye)
gitlab	gitlab	—	—
gitlab	gitlab_ce	—	—
gitlab	gitlab_ee	—	—
msrc	azl3_php_8.3.23-1_on_azure_linux_3.0	—	—
msrc	azl3_php_8.3.29-1_on_azure_linux_3.0	—	—
msrc	cbl2_ceph_16.2.10-4_on_cbl_mariner_2.0	—	—
msrc	cbl2_ceph_16.2.10-7_on_cbl_mariner_2.0	—	—
msrc	cbl2_php_8.1.32-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_php_8.1.33-1_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
msrc	microsoft_visual_studio_2017_version_15.9	—	—
msrc	microsoft_visual_studio_2019_version_16.11	—	—
msrc	microsoft_visual_studio_2022_version_17.10	—	—
msrc	microsoft_visual_studio_2022_version_17.12	—	—
msrc	microsoft_visual_studio_2022_version_17.13	—	—
msrc	microsoft_visual_studio_2022_version_17.8	—	—
php	php	>= 8.1.0 < 8.1.33	8.1.33
php	php	>= 8.2.0 < 8.2.29	8.2.29
php	php	>= 8.3.0 < 8.3.23	8.3.23
php	php	>= 8.4.0 < 8.4.10	8.4.10
php_group	php	>= 8.1.* < 8.1.33	8.1.33

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

osv5.3MEDIUM