CVE-2025-1219

MEDIUM6.3

libxml streams use wrong content-type header when requesting a redirected resource

Published Mar 30, 2025

Modified 2 months ago

No fix available

Details

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

References

DETECTIONhttps://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc WEBhttps://lists.debian.org/debian-lts-announce/2025/03/msg00014.html WEBhttps://security.netapp.com/advisory/ntap-20250523-0007/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-1219

CVSS Analysis

CVSS v3.1

6.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

LowI:L

Availability

NoneA:N

5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Ecosystems

Timeline

PublishedMar 30, 2025

ModifiedNov 3, 2025