CVE-2025-1220 LOW

CVE-2025-1220: Null byte termination in hostnames

Vendor Php Group

Product PHP

Weakness CWE-918 · SSRF

Published July 13, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

3.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.

Key dates

02Disclosure timeline

July 13, 2025 CVE published

November 4, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-1220

Related vulnerabilities

Identifiers

CVE CVE-2025-1220

CWE CWE-918

CVSS 3.7 / LOW

Affected versions

Vendor Php Group

Product PHP

Affected ≥ 8.1.* and < 8.1.33

Vendor Php Group

Product PHP

Affected ≥ 8.2.* and < 8.2.29

Vendor Php Group

Product PHP

Affected ≥ 8.3.* and < 8.3.23

Vendor Php Group

Product PHP

Affected ≥ 8.4.* and < 8.4.10

CVE-2025-1220: Null byte termination in hostnames

01Description

02Disclosure timeline

03References

04Related CVE