Critical PHP Vulnerabilities Enable SQL Injection and DoS Attacks – Update Immediately

Critical security vulnerabilities have been discovered in PHP’s PostgreSQL and SOAP extensions that could enable SQL injection attacks and denial of service conditions.

The vulnerabilities affect multiple PHP versions and require immediate patching to prevent potential exploitation by malicious actors.

A significant security vulnerability has been identified in PHP’s PostgreSQL extension that fails to properly check for errors during string escaping operations.

This vulnerability, assigned CVE-2025-1735, stems from improper error handling in the extension’s implementation of PostgreSQL’s escape functions.

The issue is directly related to PostgreSQL’s own security advisory CVE-2025-1094, where PHP was initially used to demonstrate the underlying problem.

The vulnerability occurs because PHP’s implementation does not pass error parameters to the PQescapeStringConn() function, preventing proper error reporting when string escaping fails.

This design vulnerability means that even when PostgreSQL attempts to ensure escaped strings will trigger server-side errors for invalidly encoded content, the protection remains insufficient depending on how the escaped values are ultimately utilized.

Additionally, multiple calls to PQescapeIdentifier() fail to check for NULL return values, which is the documented method for error reporting. This oversight could result in crashes or undefined behavior in affected code paths.

The ramifications extend beyond simple crashes, as missing error checking during the escaping process creates opportunities for SQL injection attacks.

When escape functions fail silently, malformed or malicious input may not be properly sanitized before being incorporated into SQL queries, potentially allowing attackers to manipulate database operations.

PHP Vulnerabilities

A separate vulnerability affects PHP’s SOAP extension, designated as CVE-2025-6491, which can trigger NULL pointer dereferences leading to segmentation faults and denial of service conditions.

This vulnerability specifically targets systems running PHP with libxml2 versions prior to 2.13, creating a significant attack surface for applications utilizing SOAP functionality.

The vulnerability manifests when a SoapVar instance is created with a fully qualified name exceeding 2 gigabytes in length.

The underlying issue stems from libxml2’s inability to properly handle calls to xmlNodeSetName() with names longer than 2GB, leaving node objects in invalid states with NULL name pointers.

During subsequent message serialization processes, attempts to access these NULL pointers result in immediate crashes.

Exploitation scenarios include situations where application code constructs namespace prefixes using data from untrusted sources, such as remote SOAP services.

An attacker could craft malicious SOAP responses containing extremely large namespace prefixes, triggering the vulnerability when processed by vulnerable PHP installations.

The attack vector is particularly concerning as it requires no authentication and can be executed remotely, making it an attractive target for denial of service campaigns.

Update to Latest PHP Versions

Organizations running affected PHP installations must prioritize immediate updates to address these critical vulnerabilities.

The security patches are available in PHP versions 8.1.33, 8.2.29, 8.3.23, and 8.4.10, which contain fixes for both the PostgreSQL extension escaping vulnerability and the SOAP extension NULL pointer dereference issue.

System administrators should conduct comprehensive audits of their PHP deployments to identify vulnerable installations.

Priority should be given to public-facing applications utilizing PostgreSQL databases or SOAP-based web services, as these represent the highest risk exposure.

The moderate severity rating assigned to both vulnerabilities should not diminish the urgency of remediation efforts, particularly given the potential for remote exploitation and the fundamental nature of the affected components.

Organizations unable to immediately update should consider implementing additional security measures such as input validation, network-level filtering, and monitoring for exploitation attempts while planning their upgrade strategies.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.