CVE-2025-14180

27.12.2025, 20:15

In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
php	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

php7.4

bullseye	vulnerable
bullseye (security)	vulnerable

php8.2

bookworm	vulnerable
bookworm (security)	vulnerable

php8.4

trixie	vulnerable
trixie (security)	8.4.16-1~deb13u1 fixed
forky	8.4.16-1 fixed
sid	8.4.16-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

php5

questing	dne
plucky	dne
noble	dne
jammy	dne
trusty	needs-triage

php7.0

questing	dne
plucky	dne
noble	dne
jammy	dne
xenial	needs-triage

php7.2

questing	dne
plucky	dne
noble	dne
jammy	dne
bionic	needs-triage

php7.4

questing	dne
plucky	dne
noble	dne
jammy	dne
focal	needs-triage

php8.1

questing	dne
plucky	dne
noble	dne
jammy	needs-triage

php8.3

questing	dne
plucky	dne
noble	needs-triage
jammy	dne

php8.4

questing	needs-triage
plucky	needs-triage
noble	dne
jammy	dne

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Vulnerability Media Exposure

[GERMAN] PHP: Mehrere Schwachstellen
Ein entfernter Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, um einen Server-Side Request-Forgery Angriff ausführen oder nicht bekannte Auswirkungen erzielen.
Published: 2025-12-18T23:00:00+00:00

References

https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj