CVE-2025-1220

Hostname Null Character Vulnerability

Publication Date 2025-07-13
Severity Moderate
Type XML eXternal Entity injection
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.32
  • 8.2.0-8.2.28
  • 8.3.0-8.3.22
  • 8.4.0-8.4.9
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendServer 2021.4.3

CVE Details

The fsockopen() function and related functions failed to validate NULL characters within the provided hostname, potentially leading to unexpected behavior during parsing. This flaw allows a network attacker to supply a specially crafted hostname. This issue can result in a denial of service due to parsing errors.

Recommendations

If using fsockopen() to establish a remote socket connection, either do not use a user-provided $hostname argument, or validate it ahead of time using filter_var($hostname, FILTER_VALIDATE_DOMAIN).

Ideally, we recommend upgrading to a known patched version of PHP.