CVE-2025-7381: PHP X-Powered-By Header Exposes PHP Version
CVE-2025-7381 Published on July 9, 2025
Exposure of sensitive PHP information to an unauthorized control sphere in mautic/mautic images
ImpactThis is an information disclosure vulnerability originating from PHP's base image. This vulnerability exposes the PHP version through an X-Powered-By header, which attackers could exploit to fingerprint the server and identify potential weaknesses.
WorkaroundsThe mitigation requires changing the expose_php variable from "On" to "Off" in the file located at /usr/local/etc/php/php.ini.
Vulnerability Analysis
CVE-2025-7381 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Exposure of Sensitive System Information to an Unauthorized Control Sphere
The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does.
Products Associated with CVE-2025-7381
Want to know whenever a new CVE is published for PHP? stack.watch will email you.
Affected Versions
Docker Mautic:- Version <= 6.0.3-20250707-apache is affected.
- Version <= 6.0.3-20250707-fpm is affected.
- Version <= 5.2.7-20250707-apache is affected.
- Version <= 5.2.7-20250707-fpm is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.