CVE-2025-1220

Published Jul 13, 2025

Last updated 3 days ago

CVSS low 3.7

Overview

Description
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
Source
security@php.net
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.7
Impact score
1.4
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
LOW

Weaknesses

security@php.net
CWE-918

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-1220: PHP’s fsockopen() can be tricked with a null byte, allowing unauthenticated SSRF. Patch to 8.1.33 / 8.2.29 / 8.3.23 / 8.4.10 now! Full advisory ➡️ https://t.co/BqParijcma #PHP #infosec #AppSec

    @VolerionSec

    13 Jul 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. PHP security releases 8.4.10, 8.3.23, 8.2.29, 8.1.33 https://t.co/xq1R6FQjZS CVE-2025-1735: pgsql extension does not check for errors during escaping CVE-2025-6491: NULL Pointer Dereference in PHP SOAP Extension CVE-2025-1220: Null byte termination in hostnames

    @oss_security

    12 Jul 2025

    289 Impressions

    0 Retweets

    1 Like

    2 Bookmarks

    0 Replies

    0 Quotes

  3. kusanagi-php82 Module Update 8.2.29-1 KUSANAGI 9 modules have been updated. The updated modules are as follows: php 8.2.29-1 This update includes support for vulnerability(CVE-2025-1735, CVE-2025-6491, CVE-2025-1220). On the combination of PHP... https://t.co/CzA6vFZA2B

    @kusanagi_saya

    7 Jul 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. kusanagi-php83 Module Update 8.3.23-1 KUSANAGI 9 modules have been updated. The updated modules are as follows: php 8.3.23-1 This update includes support for vulnerability(CVE-2025-1735, CVE-2025-6491, CVE-2025-1220). The module update can be... https://t.co/y5NdfUo0JJ

    @kusanagi_saya

    7 Jul 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. kusanagi-php84 Module Update 8.4.10-1 KUSANAGI 9 modules have been updated. The updated modules are as follows: php 8.4.10-1 This update includes support for vulnerability(CVE-2025-1735, CVE-2025-6491, CVE-2025-1220). The module update can be... https://t.co/XUU5pUQSCc

    @kusanagi_saya

    7 Jul 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.