libxml streams use wrong `content-type` header when requesting a redirected resource

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* ...

Уязвимость функций php_libxml_input_buffer_create_filename() и php_libxml_sniff_charset_from_stream() интерпретатора языка программирования PHP, позволяющая нарушителю перенаправить пользователя на произвольный URL-адрес

Moderate: php security update

ELSA-2025-7431: php security update (MODERATE)

Security update for php7

Security update for php7

Security update for php8

Security update for php8

Important: php security update

Important: php:8.3 security update

ELSA-2025-7489: php security update (IMPORTANT)

ELSA-2025-7418: php:8.3 security update (IMPORTANT)

Moderate: php:8.2 security update

Moderate: php:8.1 security update

ELSA-2025-7432: php:8.2 security update (MODERATE)