CVE-2025-1219

Summary

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

Affected Software

VendorProductVersion RangeStatus
PHP GroupPHP8.1.* < 8.1.32affected
PHP GroupPHP8.2.* < 8.2.28affected
PHP GroupPHP8.3.* < 8.3.19affected
PHP GroupPHP8.4.* < 8.4.5affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

CVE Program Container

Additional References

References