UBUNTU-CVE-2025-1219

HIGH7.9

Published Mar 14, 2025

Modified 1 months ago

Fix available

Details

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

Affected Packages

php8.1

Ubuntu 22.04 LTS

Fixed in:

8.1.2-1ubuntu2.21

php8.3

Ubuntu 24.04 LTS

Fixed in:

8.3.6-0ubuntu0.24.04.4

php7.4

Ubuntu Pro 20.04 LTS

Affected versions:

7.4.3-4build17.4.3-4build27.4.3-4ubuntu17.4.3-4ubuntu1.17.4.3-4ubuntu2.107.4.3-4ubuntu2.117.4.3-4ubuntu2.127.4.3-4ubuntu2.137.4.3-4ubuntu2.157.4.3-4ubuntu2.16+20 more

References

REPORT

https://github.com/php/php-src/commit/a8d3a8006739b8aad2a190be90a0491739be6c0d

REPORT

https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc

REPORT

https://ubuntu.com/security/CVE-2025-1219

ADVISORY

https://ubuntu.com/security/notices/USN-7400-1

REPORT

https://www.cve.org/CVERecord?id=CVE-2025-1219

CVSS Analysis