CVE-2025-1220
Public on 2025-07-08
Modified on 2025-07-10
Description
fsockopen() doesn't regard hostname as well, hostname is terminated at the null byte. This can cause Server Side Request Forgery in general case.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | php | Pending Fix | ||
| Amazon Linux 2 - Php8.1 Extra | php | 2025-08-04 | ALAS2PHP8.1-2025-007 | Fixed |
| Amazon Linux 2 - Php8.2 Extra | php | 2025-08-04 | ALAS2PHP8.2-2025-008 | Fixed |
| Amazon Linux 2023 | php8.1 | 2025-08-08 | ALAS2023-2025-1087 | Fixed |
| Amazon Linux 2023 | php8.2 | 2025-08-08 | ALAS2023-2025-1088 | Fixed |
| Amazon Linux 2023 | php8.3 | 2025-08-08 | ALAS2023-2025-1114 | Fixed |
| Amazon Linux 2023 | php8.4 | 2025-08-08 | ALAS2023-2025-1113 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| NVD | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |