CVE-2025-14179
PDO Firebird Driver NUL Byte SQL Injection
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: PHP Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php | php | to 8.2.31 (exc) |
| php | php | to 8.3.31 (exc) |
| php | php | to 8.4.21 (exc) |
| php | php | to 8.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2025-14179 vulnerability, users should update their PHP installations to the patched versions: 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, and 8.5.6 or later.
Updating to these versions addresses the improper handling of NUL bytes in the PDO Firebird driver that leads to SQL injection vulnerabilities.
Can you explain this vulnerability to me?
The CVE-2025-14179 vulnerability affects the PHP PDO_Firebird extension in versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. It involves improper handling of NUL bytes in quoted strings during the preparation of Firebird SQL queries. Specifically, when a string token containing a NUL byte is processed, the function copying the string stops at the NUL byte, causing the closing quote to be dropped. This results in subsequent SQL tokens being interpreted as part of the string, which allows attackers to inject malicious SQL code.
This flaw occurs during token-by-token query construction when using PDO::quote(), enabling SQL injection attacks by embedding attacker-controlled values improperly into SQL statements.
How can this vulnerability impact me? :
This vulnerability can lead to SQL injection attacks, allowing attackers to manipulate SQL queries executed by the application.
- Bypass authentication mechanisms.
- Alter, delete, or insert data in the database.
- Execute unauthorized SQL commands such as SELECT, INSERT, UPDATE, DELETE, MERGE, WITH, and EXECUTE statements.
Overall, it poses a high security risk by compromising the integrity and confidentiality of the database.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows SQL injection attacks by improperly handling NUL bytes in SQL queries, which can lead to unauthorized data access or manipulation.
Such unauthorized access or alteration of data can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding sensitive information against breaches.
Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of protected data, potentially causing violations of these regulations.
Mitigation by updating to patched PHP versions is necessary to maintain compliance and reduce risk.