Vulnerability Description
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | >= 8.1.0, < 8.1.32 |
Related Weaknesses (CWE)
References
- https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfcExploitVendor Advisory
- https://lists.debian.org/debian-lts-announce/2025/03/msg00014.html
- https://security.netapp.com/advisory/ntap-20250523-0007/
- https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfcExploitVendor Advisory
FAQ
What is CVE-2025-1219?
CVE-2025-1219 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-t...
How severe is CVE-2025-1219?
CVE-2025-1219 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-1219?
Check the references section above for vendor advisories and patch information. Affected products include: Php Php.