#VU112190 Server-Side Request Forgery (SSRF) in PHP - CVE-2025-1220

Cybersecurity Help s.r.o.

Published: 2025-07-04

Vulnerability identifier: #VU112190

Vulnerability risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-1220

CWE-ID: CWE-918

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of the null byte in the fsockopen() function implementation when handling hostnames. A remote attacker can pass a specially crafted hostname to the application and force it to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PHP: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.0.11, 8.0.12, 8.0.13, 8.0.14, 8.0.15, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26, 8.0.27, 8.0.28, 8.0.29, 8.0.30, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.1.15, 8.1.16, 8.1.17, 8.1.18, 8.1.19, 8.1.20, 8.1.21, 8.1.22, 8.1.23, 8.1.24, 8.1.25, 8.1.26, 8.1.27, 8.1.28, 8.1.29, 8.1.30, 8.1.31, 8.1.32, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 8.2.13, 8.2.14, 8.2.15, 8.2.16, 8.2.17, 8.2.18, 8.2.19, 8.2.20, 8.2.21, 8.2.22, 8.2.23, 8.2.24, 8.2.25, 8.2.26, 8.2.27, 8.2.28, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 8.3.6, 8.3.7, 8.3.8, 8.3.9, 8.3.10, 8.3.11, 8.3.12, 8.3.13, 8.3.14, 8.3.15, 8.3.16, 8.3.17, 8.3.19, 8.3.20, 8.3.21, 8.3.22, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.4.6, 8.4.7, 8.4.8

External links
https://www.php.net/ChangeLog-8.php#8.1.33
https://www.php.net/ChangeLog-8.php#8.4.10
https://www.php.net/ChangeLog-8.php#8.1.33
https://www.php.net/ChangeLog-8.php#8.2.29
https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for php8.1

openEuler 20.03 LTS SP4 update for php

openEuler 22.03 LTS SP3 update for php

openEuler 22.03 LTS SP4 update for php

cPanel EasyApache4 update for PHP

Fedora 41 update for php

Fedora 42 update for php

Multiple vulnerabilities in PHP