Debian: PHP 7.4 Critical SSRF and DoS Vulnerabilities DLA-4254-1
debian lts
July 27, 2025
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in server side request forgery or denial of service
Summary
CVE-2025-1220
Jihwan Kim discovered that fsockopen() lack validation that the
hostname supplied does not contain null characters, which may lead
to other functions like parse_url() to treat the hostname in an
incorrect way, thereby potentially causing Server Side Request
Forgery.
CVE-2025-1735
It was discovered that pgsql and pdo_pgsql escaping functions do not
check if the underlying quoting functions returned errors, which may
lead to crashes due to null pointer dereferences.
This issue is related to CVE-2025-1094 which was reported to
PostgreSQL.
CVE-2025-6491
Ahmed Lekssays discovered that SoapVar instances created with a
fully qualified name larger than 2G could lead to denial of service
due to null pointer dereference.
For Debian 11 bullseye, these problems have been fixed in version
7.4.33-1+deb11u9.
We recommend that you upgrade your php7.4 packages.
For the detailed security status of php7.4 please refer to
its security tracker page at:
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: php7.4
Version: 7.4.33-1+deb11u9
CVE ID: CVE-2025-1220 CVE-2025-1735 CVE-2025-6491
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!