CVE-2025-1219

libxml streams use wrong content-type header when requesting a redirected resource.

Publication Date 2025-03-14
Severity Critical
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.31
  • 8.2.0-8.2.27
  • 8.3.0-8.3.18
  • 8.4.0-8.4.4
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendServer 2021.4.2

CVE Details

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19, and 8.4.* before 8.4.5, a vulnerability, which was classified as problematic, has been found. Affected by this issue is some unknown processing of the component Header Handler. The manipulation of the argument Content-Type with an unknown input leads to a redirect vulnerability. This can occur when a web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. Impacted is integrity.

Recommendations

Always validate user input, and consider not allowing users to provide redirect URLs via form input without validation.

Otherwise, we recommend upgrading to a known patched version of PHP.