![Nomad Goods Launches 15% Sitewide Sale for 48 Hours Only [Deal]](https://www.iclarified.com/images/news/96899/96899/96899-640.jpg)
![Apple Watch Series 10 Prototype with Mystery Sensor Surfaces [Images]](https://www.iclarified.com/images/news/96892/96892/96892-640.jpg)
![watchOS 11.4 now available with three new features for Apple Watch [U: Back]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/01/watchOS-11.4-hero.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
_Andrew_Angelov_Alamy.jpg?#)
![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![Is this a suitable approach to architect a flutter app? [closed]](https://i.sstatic.net/4hMHGb1L.png)
![From broke musician to working dev. How college drop-out Ryan Furrer taught himself to code [Podcast #166]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743189826063/2080cde4-6fc0-46fb-b98d-b3d59841e8c4.png?#)
-1280x720.jpg?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
![Baldur's Gate 3-Themed Stardew Valley Mod Hit With Takedown By D&D Owner [Update: It's Back]](https://i.kinja-img.com/image/upload/c_fill,h_675,pg_1,q_80,w_1200/72456bbdaa2125a0df912aa9d205bb26.webp)
Critical PHP Vulnerability Let Hackers Bypass the Validation To Load Malicious Content
A critical vulnerability in PHP’s libxml streams has been identified, potentially impacting web applications that rely on the DOM or SimpleXML extensions for HTTP requests. The flaw, tracked as CVE-2025-1219, involves the incorrect handling of the content-type header when a redirected resource is requested, leading to security risks such as document misinterpretation and validation bypass. […] The post Critical PHP Vulnerability Let Hackers Bypass the Validation To Load Malicious Content appeared first on Cyber Security News.
A critical vulnerability in PHP’s libxml streams has been identified, potentially impacting web applications that rely on the DOM or SimpleXML extensions for HTTP requests.
The flaw, tracked as CVE-2025-1219, involves the incorrect handling of the content-type header when a redirected resource is requested, leading to security risks such as document misinterpretation and validation bypass.
The vulnerability affects PHP versions:
- Below 8.1.32
- Below 8.2.28
- Below 8.3.18
- Below 8.4.5
Details of the Vulnerability
The issue arises when the HTTP stream wrapper follows a redirect. Instead of clearing previously captured headers before executing subsequent requests, it appends the headers from multiple requests into a single array.
This results in an array containing headers from all requests, with the headers from the final request placed last.
The function php_libxml_input_buffer_create_filename() or php_libxml_sniff_charset_from_stream() scans this array for a content-type header to determine the charset of the response.
However, it processes the headers sequentially from top to bottom and stops at the first content-type header it encounters.
According to the PHP report, This header may not correspond to the final response containing the HTML body being parsed. Consequently, documents may be parsed with an incorrect charset, leading to potential security issues.
This vulnerability can allow attackers to manipulate how documents are parsed by exploiting incorrect charset detection. For instance:
- Documents could be misinterpreted, altering their intended meaning.
- Validation processes might be bypassed if a document is parsed incorrectly.
- Exporting such documents using methods like
->saveHtml()could result in unintended outputs with the original charset preserved.
Applications using PHP’s DOM or SimpleXML extensions for HTTP requests are particularly vulnerable.
Proof of Concept
A proof-of-concept (PoC) demonstrates how this vulnerability can be exploited:
- A redirect script (
redirect.php) sends acontent-typeheader specifying a charset (utf-16) and redirects to another resource. - When accessed via PHP’s DOMDocument or SimpleXML extensions, the initial
content-typeheader is incorrectly used for parsing instead of that of the final response.
This behavior can lead to incorrect parsing and validation bypasses, as shown in scenarios where exported HTML content retains its original charset despite being manipulated.
PHP developers have addressed this issue in the following versions:
- PHP 8.1.32
- PHP 8.2.28
- PHP 8.3.19
- PHP 8.4.5
Mitigation Steps
To protect against CVE-2025-1219, users are strongly advised to update their PHP installations to one of the patched versions listed above:
- Check your current version using
php -v. - Update your system via your package manager or download updated binaries from php.net.
- Restart any services relying on PHP after updating.
CVE-2025-1219 highlights a critical flaw in how PHP handles HTTP redirects using libxml streams, posing risks for applications that parse documents via HTTP requests. The vulnerability underscores the importance of regularly updating software to address emerging security threats.
Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now
The post Critical PHP Vulnerability Let Hackers Bypass the Validation To Load Malicious Content appeared first on Cyber Security News.
.webp?#)
