CVE-2025-14179

CRITICAL

SQL injection in pdo_firebird via NUL bytes in quoted strings

Title source: cna

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 11.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (5)

php/php 8.2.0 - 8.2.31

PHP Group/PHP 8.2.* - 8.2.31

PHP Group/PHP 8.3.* - 8.3.31

PHP Group/PHP 8.4.* - 8.4.21

PHP Group/PHP 8.5.* - 8.5.6

Published May 10, 2026

Tracked Since May 10, 2026