CVE-2025-14178

MEDIUM

PHP <8.1.34, <8.2.30, <8.3.29, <8.4.16, <8.5.1 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-14178. PoCs published by gl1tch0x1.

AI-analyzed exploit summary This repository contains a modular exploit framework for multiple PHP CVEs, including CVE-2025-14178. It includes detection and exploitation logic for various PHP vulnerabilities, with specific modules for each CVE.

Description

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

Exploits (1)

github WORKING POC
by gl1tch0x1 · shellpoc
https://github.com/gl1tch0x1/PHP_8.1.x_Exploit

This repository contains a modular exploit framework for multiple PHP CVEs, including CVE-2025-14178. It includes detection and exploitation logic for various PHP vulnerabilities, with specific modules for each CVE.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP 8.1.x
No auth needed
Prerequisites: target URL with vulnerable PHP version · network access to the target
devstral-2 · analyzed Apr 29, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0043
EPSS Percentile 33.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-190 CWE-787
Status published
Products (1)
php/php 8.1.0 - 8.1.34
Published Dec 27, 2025
Tracked Since Feb 18, 2026