CVE-2025-14179
Received Received - Intake
PDO Firebird Driver NUL Byte SQL Injection

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: PHP Group

Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQLΒ statements.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2025-14179
EUVD
EUVD-2025-209755
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
php php to 8.2.31 (exc)
php php to 8.3.31 (exc)
php php to 8.4.21 (exc)
php php to 8.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate the CVE-2025-14179 vulnerability, users should update their PHP installations to the patched versions: 8.2.31 or later, 8.3.31 or later, 8.4.21 or later, and 8.5.6 or later.

Updating to these versions addresses the improper handling of NUL bytes in the PDO Firebird driver that leads to SQL injection vulnerabilities.

Executive Summary

The CVE-2025-14179 vulnerability affects the PHP PDO_Firebird extension in versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. It involves improper handling of NUL bytes in quoted strings during the preparation of Firebird SQL queries. Specifically, when a string token containing a NUL byte is processed, the function copying the string stops at the NUL byte, causing the closing quote to be dropped. This results in subsequent SQL tokens being interpreted as part of the string, which allows attackers to inject malicious SQL code.

This flaw occurs during token-by-token query construction when using PDO::quote(), enabling SQL injection attacks by embedding attacker-controlled values improperly into SQL statements.

Impact Analysis

This vulnerability can lead to SQL injection attacks, allowing attackers to manipulate SQL queries executed by the application.

  • Bypass authentication mechanisms.
  • Alter, delete, or insert data in the database.
  • Execute unauthorized SQL commands such as SELECT, INSERT, UPDATE, DELETE, MERGE, WITH, and EXECUTE statements.

Overall, it poses a high security risk by compromising the integrity and confidentiality of the database.

Compliance Impact

The vulnerability allows SQL injection attacks by improperly handling NUL bytes in SQL queries, which can lead to unauthorized data access or manipulation.

Such unauthorized access or alteration of data can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding sensitive information against breaches.

Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of protected data, potentially causing violations of these regulations.

Mitigation by updating to patched PHP versions is necessary to maintain compliance and reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14179. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart