CVE-2025-1219

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-1219

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-1219.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-1219

Aliases

Downstream

AZL-59300

AZL-59316

BELL-CVE-2025-1219

DEBIAN-CVE-2025-1219

DLA-4088-1

DSA-5878-1

MGASA-2025-0100

MINI-ch75-fmj3-c2q4

MINI-f5x9-fc37-7rj2

MINI-hf35-qm6g-6f63

MINI-mrgr-5px7-r5f9

OESA-2025-1302

OESA-2025-1303

OESA-2025-1304

OESA-2025-1305

OESA-2025-1306

RHSA-2025:15687

RHSA-2025:4263

RHSA-2025:7418

RHSA-2025:7431

RHSA-2025:7432

RHSA-2025:7489

RHSA-2026:2470

RLSA-2025:15687

RLSA-2025:4263

RLSA-2025:7418

RLSA-2025:7431

RLSA-2025:7432

RLSA-2025:7489

RLSA-2026:2470

SUSE-SU-2025:0994-1

SUSE-SU-2025:1012-1

SUSE-SU-2025:1025-1

SUSE-SU-2025:1026-1

UBUNTU-CVE-2025-1219

USN-7400-1

openSUSE-SU-2025:14895-1

Related

Published

2025-03-30T05:33:13.801Z

Modified

2026-05-15T04:12:59.431061227Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

libxml streams use wrong content-type header when requesting a redirected resource

Details

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/1xxx/CVE-2025-1219.json",
    "cna_assigner": "php"
}

References

Affected packages