CVE-2025-1220

Name of the Vulnerable Software and Affected Versions PHP versions prior to 8.1.33 PHP versions prior to 8.2.29 PHP versions prior to 8.3.23 PHP versions prior to 8.4.10 PHP 7.4 (affected versions not specified) PHP 8.2 (affected versions not specified)

Description PHP versions 8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, and 8.4.* before 8.4.10 are susceptible to a null character injection issue. Specifically, functions such as fsockopen() do not properly validate hostnames for null characters. This can cause functions like parse url() to interpret the hostname incorrectly, potentially leading to security problems if user code implements access checks before accessing resources. This could result in denial of service or server-side request forgery (SSRF).

Recommendations Upgrade to PHP version 8.1.33 or later. Upgrade to PHP version 8.2.29 or later. Upgrade to PHP version 8.3.23 or later. Upgrade to PHP version 8.4.10 or later. Upgrade your php8.2 packages to version 8.2.29-1~deb12u1 or later. Upgrade your php7.4 packages to the latest available version.