CVE Catalog

CVE-2025-14179

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile — higher than 21% of all known CVEs

Summary

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string.

Risk Assessment

An attacker can exploit this vulnerability for SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements, potentially leading to unauthorized data access or modification.

Recommendation

Immediately upgrade PHP to version 8.2.31, 8.3.31, 8.4.21, or 8.5.6 depending on the branch used. If an upgrade is not possible, avoid using PDO::quote() with data containing NUL bytes in Firebird database queries.

Original NVD description (English source)

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS