CVE-2025-14180

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-14180
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-14180.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-14180
Aliases
Downstream
Related
Published
2025-12-27T19:21:20.768Z
Modified
2026-05-01T04:26:52.392167Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
NULL Pointer Dereference in PDO quoting
Details

In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTREMULATEPREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdoparseparams() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.

Database specific 
{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "8.1.*"
                },
                {
                    "fixed": "8.1.34"
                },
                {
                    "introduced": "8.2.*"
                },
                {
                    "fixed": "8.2.30"
                },
                {
                    "introduced": "8.3.*"
                },
                {
                    "fixed": "8.3.29"
                },
                {
                    "introduced": "8.4.*"
                },
                {
                    "fixed": "8.4.16"
                },
                {
                    "introduced": "8.5.*"
                },
                {
                    "fixed": "8.5.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "extracted_events": [
                {
                    "fixed": "8.1.34"
                },
                {
                    "fixed": "8.2.30"
                },
                {
                    "fixed": "8.3.29"
                },
                {
                    "fixed": "8.4.16"
                },
                {
                    "fixed": "8.5.1"
                }
            ],
            "source": "DESCRIPTION"
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/14xxx/CVE-2025-14180.json",
    "cna_assigner": "php",
    "cwe_ids": [
        "CWE-476"
    ]
}
References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
381ba9f5d0edd0c9c8ec1dea7e21d513ad08b115
Fixed
94abff74457effe4432f0bd49f5230aa11155dff
Introduced
70ee6c20ad97e02c2b8098aeea96fefbbc3ac5c2
Fixed
b233e9d0631bd14e775db4e7b93f6bb82fccf1a0
Introduced
d26068059e83fe40de3430a512471d194119bee0
Fixed
2fe579bc267e70c53b45b859d8f312a55edd38a6
Introduced
b437f2b32eb364c9496d24abcc734272e5c9c980
Fixed
2890cbbc4940f382f2f781d08f12c127b1a06a26
Introduced
685e99655ae97c667950f7f7d176985958718f56
Fixed
3f6a5c8a76764dcea9872fee5beed8fa7d1d5bcd
Database specific 
{
    "versions": [
        {
            "introduced": "8.1.0"
        },
        {
            "fixed": "8.1.34"
        },
        {
            "introduced": "8.2.0"
        },
        {
            "fixed": "8.2.30"
        },
        {
            "introduced": "8.3.0"
        },
        {
            "fixed": "8.3.29"
        },
        {
            "introduced": "8.4.0"
        },
        {
            "fixed": "8.4.16"
        },
        {
            "introduced": "8.5.0"
        },
        {
            "fixed": "8.5.1"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-14180.json"