CVE-2025-14179
CRITICALCVSS v3.1: 9.8 · EPSS: 0.0026 (17.3 percentile)
Source data as of:
At a glance
- Severity
- CRITICAL
- CVSS
- 9.8 v3.1 · NVD
- EPSS
- 0.0026 (17.3 percentile) · FIRST.org
- CISA KEV
- No
- Type
- SQL Injection · NVD CWE
- Attack conditions (CVSS vector)
- NetworkNo privilegesNo user interaction · Source: NVD Vector
- Affected vendors
- php
- Published
- 2026-05-10 · Modified: 2026-06-30
- References
- Jump to references (4)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.