Two significant vulnerabilities in PHP’s image processing capabilities have been identified, posing potential risks for data leaks and denial-of-service attacks. These security concerns, discovered by Positive Technologies researcher Nikita Sveshnikov, involve the widely used getimagesize and iptcembed functions, highlighting the importance of addressing these issues promptly.
Details of PHP Memory Safety Vulnerabilities
The initial vulnerability, cataloged as CVE-2025-14177 with a CVSS score of 6.3, is linked to information disclosure when the getimagesize function handles JPEG APP segments in multi-chunk mode. This flaw affects specific PHP versions, including 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, and 8.5.* before 8.5.1.
The core issue arises from improper concatenation of data chunks during JPEG segment processing, leading to uninitialized memory allocation. This flaw can be exploited by attackers using JPEG files with large APP1 segments, potentially exposing sensitive information through the php://filter mechanism.
Heap Buffer Overflow and Its Consequences
The second vulnerability affects the iptcembed function, which integrates binary IPTC data into JPEG files. This issue is a classic heap buffer overflow, occurring due to insufficient buffer space allocation based on file size estimations. As a result, when handling non-standard file types, the function may write out of bounds, leading to potential heap corruption.
This flaw introduces a race condition, where files can increase in size between size checks and reads, allowing attackers to exploit this by manipulating data streams. Such vulnerabilities are critical for systems handling large volumes of user-uploaded images, such as content management systems and image CDNs.
Mitigation Measures and Recommendations
Developers have addressed the CVE-2025-14177 vulnerability by adjusting the php_read_stream_all_chunks function to ensure proper buffer management. A regression test accompanies this fix to prevent recurrence. Additionally, improvements to the iptcembed function now include bounds checking to avoid buffer overflows.
It is crucial for organizations to update their PHP installations to versions 8.1.34, 8.2.30, 8.3.29, 8.4.16, or 8.5.1 and above. Priority should be given to systems with public-facing upload endpoints to mitigate potential exploitation risks. Staying informed through reliable sources like Google News and LinkedIn ensures timely updates on such critical security matters.
Following these updates and recommendations will enhance security by addressing these vulnerabilities, reducing the risk of sensitive data exposure and service disruptions.
