CVE-2025-14180
- Source
- https://cve.org/CVERecord?id=CVE-2025-14180
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-14180.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-14180
- Aliases
-
- BIT-libphp-2025-14180
- BIT-php-2025-14180
- BIT-php-min-2025-14180
- GHSA-8xr5-qppj-gvwj
- Downstream
- Related
- Published
- 2025-12-27T20:15:40.717Z
- Modified
- 2026-03-12T02:15:05.157219Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTREMULATEPREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdoparseparams() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
- References
Affected packages
Git / github.com/php/php-src
Affected ranges
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "8.1.0" }, { "fixed": "8.1.34" }, { "introduced": "8.2.0" }, { "fixed": "8.2.30" }, { "introduced": "8.3.0" }, { "fixed": "8.3.29" }, { "introduced": "8.4.0" }, { "fixed": "8.4.16" }, { "introduced": "8.5.0" }, { "fixed": "8.5.1" } ] }