Critical PHP Vulnerability Allows Hackers to Bypass Validation and Load Malicious Content

A significant security flaw has been discovered in PHP’s libxml streams, potentially affecting web applications that utilize the DOM or SimpleXML extensions for HTTP requests. This vulnerability, identified as CVE-2025-1219, stems from improper handling of the `content-type` header during HTTP redirects, leading to risks such as document misinterpretation and validation bypass.

Affected PHP Versions:

– Below 8.1.32
– Below 8.2.28
– Below 8.3.18
– Below 8.4.5

Vulnerability Details:

The issue arises when PHP’s HTTP stream wrapper follows a redirect. Instead of clearing previously captured headers before executing subsequent requests, it appends headers from multiple requests into a single array. This results in an array containing headers from all requests, with the headers from the final request placed last.

The function `php_libxml_input_buffer_create_filename()` or `php_libxml_sniff_charset_from_stream()` scans this array for a `content-type` header to determine the charset of the response. However, it processes the headers sequentially from top to bottom and stops at the first `content-type` header it encounters. This header may not correspond to the final response containing the HTML body being parsed. Consequently, documents may be parsed with an incorrect charset, leading to potential security issues.

Potential Exploitation:

Attackers can exploit this vulnerability to manipulate how documents are parsed by exploiting incorrect charset detection. For instance:

– Documents could be misinterpreted, altering their intended meaning.
– Validation processes might be bypassed if a document is parsed incorrectly.
– Exporting such documents using methods like `->saveHtml()` could result in unintended outputs with the original charset preserved.

Applications using PHP’s DOM or SimpleXML extensions for HTTP requests are particularly vulnerable.

Proof of Concept:

A proof-of-concept (PoC) demonstrates how this vulnerability can be exploited:

1. A redirect script (`redirect.php`) sends a `content-type` header specifying a charset (`utf-16`) and redirects to another resource.
2. When accessed via PHP’s DOMDocument or SimpleXML extensions, the initial `content-type` header is incorrectly used for parsing instead of that of the final response.

This behavior can lead to incorrect parsing and validation bypasses, as shown in scenarios where exported HTML content retains its original charset despite being manipulated.

Mitigation Steps:

To protect against CVE-2025-1219, users are strongly advised to update their PHP installations to one of the patched versions listed above:

1. Check your current version using `php -v`.
2. Update your system via your package manager or download updated binaries from the official PHP website.
3. Restart any services relying on PHP after updating.

CVE-2025-1219 highlights a critical flaw in how PHP handles HTTP redirects using libxml streams, posing risks for applications that parse documents via HTTP requests. The vulnerability underscores the importance of regularly updating software to address emerging security threats.