Essential safety vulnerabilities have been found in PHP that would permit attackers to execute SQL injection assaults and trigger denial of service (DoS) situations.
Two distinct vulnerabilities, assigned CVE-2025-1735 and CVE-2025-6491, have an effect on a number of PHP variations and require fast patching.
Key Takeaways1. CVE-2025-1735 (PostgreSQL) and CVE-2025-6491 (SOAP) have an effect on variations under 8.1.33, 8.2.29, 8.3.23, and eight.4.10.2. PostgreSQL extension flaw permits SQL injection resulting from lacking error checking in escape features.3. SOAP extension crashes when processing outsized namespace prefixes (>2GB), inflicting segmentation faults.4. Improve to patched variations to stop SQL injection and repair disruption assaults.
The issues influence PHP installations working variations prior to eight.1.33, 8.2.29, 8.3.23, and eight.4.10, with patches now accessible for all affected branches.
PostgreSQL Extension Vulnerability
The primary vulnerability, CVE-2025-1735, impacts PHP’s PostgreSQL extension and stems from insufficient error checking throughout string escaping operations.
The flaw happens when PHP makes use of escape features with out correct error parameter dealing with, particularly failing to cross error parameters to the PQescapeStringConn() perform.
This lacking error checking may lead to SQL injection vulnerabilities and software crashes resulting from null pointer dereferences.
The vulnerability is straight associated to PostgreSQL’s CVE-2025-1094, initially reported to the PostgreSQL undertaking.
Safety researchers found that PHP’s implementation doesn’t permit for correct error reporting throughout escape operations, probably leaving purposes weak even when PostgreSQL makes an attempt to set off server-side errors for invalidly encoded strings.
Moreover, a number of calls to PQescapeIdentifier() fail to verify for NULL return values, which represents the documented methodology for error reporting.
This oversight may result in undefined conduct (UB) or software crashes in varied code paths.
SOAP Extension Flaw
The second vulnerability, CVE-2025-6491, impacts PHP’s SOAP extension and may trigger segmentation faults resulting in denial of service.
The flaw manifests when a SoapVar occasion is created with a totally certified identify exceeding 2GB in dimension, triggering a null pointer dereference that ends in fast software termination.
The vulnerability happens resulting from limitations in libxml2 variations previous to 2.13, which can not correctly deal with calls to xmlNodeSetName() with names longer than 2GB.
This leaves XML node objects in an invalid state with NULL names, subsequently inflicting crashes throughout message serialization.
The assault vector entails making a malicious SoapVar object with an outsized namespace prefix, as demonstrated within the proof-of-concept code that generates a segmentation fault by way of the xmlBuildQName() perform.
The vulnerability carries a CVSS rating of 5.9, indicating reasonable severity however important potential for service disruption.
CVEsDescriptionAffected ProductsCVSS 3.1 ScoreCVE-2025-1735PostgreSQL extension SQL injection vulnerabilityPHP variations < 8.1.33PHP variations < 8.2.29PHP variations < 8.3.23PHP variations < 8.4.109.1 (Essential) CVE-2025-6491SOAP Extension Denial of Service VulnerabilityPHP variations < 8.1.33PHP variations < 8.2.29PHP variations < 8.3.23PHP variations < 8.4.10PHP <= 8.5.0-dev with libxml2 < 2.135.9 (Average)
Ahmed Leksa, from Qatar Computing Analysis Institute, found this vulnerability, which impacts any PHP set up with the SOAP extension enabled.
Directors ought to instantly replace to patched variations: 8.1.33, 8.2.29, 8.3.23, or 8.4.10. These updates tackle each vulnerabilities and restore correct error-handling mechanisms within the affected extensions.
Examine stay malware conduct, hint each step of an assault, and make sooner, smarter safety selections -> Strive ANY.RUN now
