CVE-2025-14177

Published Dec 27, 2025

Last updated 5 months ago

CVSS medium 6.3
PHP

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-14177 is an information disclosure vulnerability found in multiple versions of PHP, specifically within the `getimagesize()` function. The flaw occurs when this function processes images in multi-chunk mode, such as through `php://filter`. The root cause is a bug in the `php_read_stream_all_chunks()` function, where the buffer is overwritten without the pointer advancing, leaving certain tail bytes uninitialized. This can lead to the leakage of uninitialized heap memory into APPn segments (e.g., APP1) of the image, potentially exposing sensitive data from the server's memory.

Description
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Source
security@php.net
NVD status
Analyzed
Products
php

Risk scores

CVSS 4.0

Type
Secondary
Base score
6.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security@php.net
CWE-125

Social media

Hype score
Not currently trending

  1. PHP CVE-2025-14177: getimagesize() blutet Heap-Speicher, iptcembed() bleibt offen https://t.co/4V1u6AxGhS https://t.co/iIDAZopzPa

    @moselwal

    19 May 2026

    273 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 New JPEG Image Attack Exposes Critical PHP Memory Bugs: #CVE-2025-14177 & iptcembed Heap Overflow + Video https://t.co/RR6rip7Cv4 Educational Purposes!

    @UndercodeUpdate

    18 May 2026

    317 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. PHPの画像サイズ取得関数getimagesizeに、細工したJPEGの処理を通じてサーバーのヒープメモリが漏洩しうる脆弱性CVE-2025-14177が報告されています。CMSやWebメール、画像CDNなど、ユーザーがアップロードした画像の

    @MalwareBibleJP

    16 May 2026

    1458 Impressions

    2 Retweets

    14 Likes

    1 Bookmark

    0 Replies

    2 Quotes

  4. PHPの画像処理機能で、JPEG画像だけで情報漏洩やDoSを引き起こせる脆弱性2件が修正された。公開アップロード機能への影響が懸念される。 問題はPHP ext/standard拡張の「getimagesize」と「iptcembed」に存在する。CVE-2

    @yousukezan

    16 May 2026

    6102 Impressions

    23 Retweets

    74 Likes

    29 Bookmarks

    0 Replies

    1 Quote

  5. New research reveals two critical heap memory bugs in PHP's core JPEG processing functions. Memory disclosure in getimagesize() and buffer overflow in iptcembed() affecting millions of PHP applications worldwide. Key technical details: • CVE-2025-14177: getimagesize() memory h

    @DFIR_Radar

    15 May 2026

    657 Impressions

    2 Retweets

    7 Likes

    0 Bookmarks

    2 Replies

    0 Quotes

  6. 🐘 PHP JPEG bugs: how image parsing leads to memory corruption. Our researcher Nikita Sveshnikov discovered two JPEG-related memory-safety bugs in PHP’s ext/standard: CVE-2025-14177 in getimagesize and a heap buffer overflow in iptcembed. https://t.co/nNKziv8oxn https://t.

    @akaclandestine

    15 May 2026

    1127 Impressions

    2 Retweets

    8 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  7. 🐘 PHP JPEG bugs: how image parsing leads to memory corruption. Our researcher Nikita Sveshnikov discovered two JPEG-related memory-safety bugs in PHP’s ext/standard: CVE-2025-14177 in getimagesize and a heap buffer overflow in iptcembed. https://t.co/WCQWlfuPZl https://t.

    @ptswarm

    15 May 2026

    5628 Impressions

    20 Retweets

    65 Likes

    27 Bookmarks

    0 Replies

    0 Quotes

  8. 🔐 Critical PHP vulnerabilities disclosed in #Ubuntu (USN-7953-1). Affects PHP 7.2-8.4. Can lead to DoS & info disclosure (CVE-2025-14177, -14178, -14180). Read more: 👉 https://t.co/mQvut1U8xr #Security https://t.co/egG6nZrXcT

    @Cezar_H_Linux

    12 Jan 2026

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. After analyzing 92% of vulnerabilities from past week, CVE-2025-14177 has 8 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    3 Jan 2026

    95 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. ⚠️ Vulnerabilidades en PHP ❗ CVE-2025-14180 ❗ CVE-2025-14178 ❗ CVE-2025-14177 ➡️ Más info: https://t.co/froC0Srbx0 https://t.co/SqVOorvsPd

    @CERTpy

    24 Dec 2025

    106 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. kusanagi-php84 Module Update 8.4.16-1 KUSANAGI 9 modules have been updated. The updated modules are as follows: php 8.4.16-1 This update includes support for vulnerability(CVE-2025-14180, CVE-2025-14178, CVE-2025-14177). The module update can... https://t.co/XHrMr8ucpT

    @kusanagi_saya

    22 Dec 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. kusanagi-php85 モジュール更新情報 8.5.1-1 KUSANAGI 9 を構成している各モジュールのアップデートを行いました。 アップデートにより適用される各モジュールのバージョンは、以下のとおりとなります。 php 8.5.1-1

    @kusanagi_saya

    22 Dec 2025

    86 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. URGENT: #Mageia 9 security advisory MGASA-2025-0330 patches high-severity PHP flaws (CVE-2025-14177/78/80). Read more: 👉 https://t.co/i8XBPDb5R6 #Security https://t.co/puT6nk5JJw

    @Cezar_H_Linux

    21 Dec 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.CVE-2026-7263
  2. In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.CVE-2026-6104
  3. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().CVE-2026-7259
  4. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.CVE-2026-6722
  5. In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.CVE-2026-7568

References

Sources include official advisories and independent security research.