CVE-2025-14180
Null Pointer Dereference in PHP PDO PostgreSQL Causes Server Crash
Publication date: 2025-12-27
Last updated on: 2025-12-27
Assigner: PHP Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | php | 8.5 |
| php | php | 8.2 |
| php | php | 8.3 |
| php | php | 8.1 |
| php | php | 8.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can cause the PHP server to crash due to a null pointer dereference, resulting in segmentation faults. This affects the availability of the target server, potentially causing downtime or service interruptions.
Can you explain this vulnerability to me?
This vulnerability occurs in certain PHP versions when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled. If a prepared statement parameter contains an invalid character sequence (such as \x99), the quoting function PQescapeStringConn may return NULL. This causes a null pointer dereference in the pdo_parse_params() function, which can lead to crashes (segmentation faults) and affect the availability of the server.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update PHP to a fixed version: 8.1.34 or later for the 8.1 branch, 8.2.30 or later for the 8.2 branch, 8.3.29 or later for the 8.3 branch, 8.4.16 or later for the 8.4 branch, or 8.5.1 or later for the 8.5 branch. Alternatively, if updating is not immediately possible, disable PDO::ATTR_EMULATE_PREPARES when using the PDO PostgreSQL driver to avoid triggering the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability leads to a denial of service (DoS) by causing crashes in the PHP process but does not result in loss of confidentiality or integrity. Therefore, it primarily affects availability. There is no direct indication that this vulnerability impacts compliance with standards like GDPR or HIPAA, which focus on data protection and privacy. However, availability issues could indirectly affect compliance if critical services are disrupted. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if your PHP environment with the PDO PostgreSQL driver and PDO::ATTR_EMULATE_PREPARES enabled crashes when executing prepared statements containing invalid byte sequences such as "\x99". For example, you can run a PHP script that prepares and executes a statement with a parameter containing an invalid character sequence (e.g., "alice\x99"). If the PHP process crashes with a segmentation fault, it indicates the vulnerability is present. There are no specific network detection commands provided. To test locally, you can use a PHP script similar to: ```php $pdo = new PDO('pgsql:host=localhost;dbname=test', 'user', 'pass', [PDO::ATTR_EMULATE_PREPARES => true]); $stmt = $pdo->prepare('SELECT * FROM users WHERE name = ?'); $stmt->execute(["alice\x99"]); ``` If this causes a crash, the vulnerability exists. Additionally, checking your PHP version against the fixed versions (8.1.34, 8.2.30, 8.3.29, 8.4.16, 8.5.1) can help determine if you are vulnerable. [1]