Critical PHP Vulnerability Let Hackers Bypass the Validation To Load Malicious Content

A critical vulnerability in PHP’s libxml streams has been identified, potentially impacting web applications that rely on the DOM or SimpleXML extensions for HTTP requests.

The flaw, tracked as CVE-2025-1219, involves the incorrect handling of the content-type header when a redirected resource is requested, leading to security risks such as document misinterpretation and validation bypass.

The vulnerability affects PHP versions:

• Below 8.1.32
• Below 8.2.28
• Below 8.3.18
• Below 8.4.5

Details of the Vulnerability

The issue arises when the HTTP stream wrapper follows a redirect. Instead of clearing previously captured headers before executing subsequent requests, it appends the headers from multiple requests into a single array.

This results in an array containing headers from all requests, with the headers from the final request placed last.

The function php_libxml_input_buffer_create_filename() or php_libxml_sniff_charset_from_stream() scans this array for a content-type header to determine the charset of the response.

However, it processes the headers sequentially from top to bottom and stops at the first content-type header it encounters.

According to the PHP report, This header may not correspond to the final response containing the HTML body being parsed. Consequently, documents may be parsed with an incorrect charset, leading to potential security issues.

This vulnerability can allow attackers to manipulate how documents are parsed by exploiting incorrect charset detection. For instance:

• Documents could be misinterpreted, altering their intended meaning.
• Validation processes might be bypassed if a document is parsed incorrectly.
• Exporting such documents using methods like ->saveHtml() could result in unintended outputs with the original charset preserved.

Applications using PHP’s DOM or SimpleXML extensions for HTTP requests are particularly vulnerable.

Proof of Concept

A proof-of-concept (PoC) demonstrates how this vulnerability can be exploited:

1. A redirect script (redirect.php) sends a content-type header specifying a charset (utf-16) and redirects to another resource.
2. When accessed via PHP’s DOMDocument or SimpleXML extensions, the initial content-type header is incorrectly used for parsing instead of that of the final response.

This behavior can lead to incorrect parsing and validation bypasses, as shown in scenarios where exported HTML content retains its original charset despite being manipulated.

PHP developers have addressed this issue in the following versions:

• PHP 8.1.32
• PHP 8.2.28
• PHP 8.3.19
• PHP 8.4.5

Mitigation Steps

To protect against CVE-2025-1219, users are strongly advised to update their PHP installations to one of the patched versions listed above:

1. Check your current version using php -v.
2. Update your system via your package manager or download updated binaries from php.net.
3. Restart any services relying on PHP after updating.

CVE-2025-1219 highlights a critical flaw in how PHP handles HTTP redirects using libxml streams, posing risks for applications that parse documents via HTTP requests. The vulnerability underscores the importance of regularly updating software to address emerging security threats.

Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now

The post Critical PHP Vulnerability Let Hackers Bypass the Validation To Load Malicious Content  appeared first on Cyber Security News.