CVE-2025-14179

Published May 10, 2026

Last updated 2 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-14179 describes a vulnerability within the PDO Firebird driver in specific versions of PHP. This flaw affects PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6. The vulnerability arises from the improper handling of NUL bytes during the preparation of SQL queries. When a string token containing a NUL byte is copied via `strncat()`, the function stops at the NUL byte, which can cause the closing quote of the string to be dropped. This leads to subsequent SQL tokens being misinterpreted as part of the string, ultimately allowing for SQL injection when attacker-controlled values are quoted using `PDO::quote()` and embedded in SQL statements.

Description: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
Source: security@php.net
NVD status: Received

Risk scores

CVSS 4.0

Type: Secondary
Base score: 7.4
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Amber
Severity: HIGH

Weaknesses

security@php.net: CWE-89

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 1

References