Server-side Request Forgery (SSRF) Affecting php package, versions [,8.1.33)[8.2.0RC1,8.2.29)[8.3.0RC1,8.3.23)[8.4.0RC1,8.4.10)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.04% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-UNMANAGED-PHP-11426536
  • published3 Aug 2025
  • disclosed13 Jul 2025
  • creditUnknown

Introduced: 13 Jul 2025

NewCVE-2025-1220  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade php to version 8.1.33, 8.2.29, 8.3.23, 8.4.10 or higher.

Overview

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the php_fsockopen_stream() function in the ext/standard/fsock.c file. An attacker can access internal network resources by submitting input containing a null character in the hostname.

PoC

<?php

$fp = fsockopen("localhost\0.some-domain-for-me.com, 4000);
fwrite($fp, "TEST\n");
fclose($fp);

This code will connect to localhost:4000

CVSS Base Scores

version 4.0
version 3.1