PDO PostgreSQL Bug Triggers NULL Pointer Dereference and Crashes PHP Worker Processes

Researchers at Positive Technologies have identified two significant vulnerabilities within the PHP Data Objects (PDO) extension layer, each posing a high severity risk. The first vulnerability leads to a NULL pointer dereference, resulting in the crash of PHP worker processes, while the second vulnerability allows for SQL injection due to a nuanced mishandling of NUL bytes in the Firebird driver.

The revelations stemmed from an extensive audit of PHP’s database abstraction framework, exposing critical weaknesses in the trust boundaries that web developers have relied upon for years. All database interactions are funneled through extensions, whether via the generic PDO interface, supported by driver-specific modules such as pdo_pgsql or pdo_firebird, or through native extensions like mysqli and pgsql. Each driver, in turn, interfaces with a DBMS client library—libpq for PostgreSQL, fbclient for Firebird, or an embedded engine like SQLite.

The scope of the audit conducted by Positive Technologies expanded rapidly, uncovering additional vulnerabilities beyond PDO itself. Among these findings were an integer overflow in PostgreSQL’s libpq client library and an information disclosure flaw in Firebird 3’s fbclient. The latter issue arises from incorrect XSQLDA field lengths during communication with Firebird 4 servers, potentially leading to an out-of-bounds read.

PostgreSQL Bug Crashes PHP

The first vulnerability, designated as CVE-2025-14180 (CVSS 8.2 HIGH), impacts PHP versions 8.1.x prior to 8.1.34, 8.2.x before 8.2.30, 8.3.x before 8.3.29, 8.4.x before 8.4.16, and 8.5.x before 8.5.1. This vulnerability is triggered when the pdo_pgsql driver operates with PDO::ATTR_EMULATE_PREPARES enabled—a configuration that shifts the handling of prepared statements entirely to the PHP side instead of delegating it to the PostgreSQL server.

In this emulation mode, PHP’s pdo_parse_params() function processes parameter values before sending a completed SQL string to PostgreSQL. If an invalid character sequence, such as the byte x99, is supplied as a parameter, the underlying libpq quoting function PQescapeStringConn() returns NULL instead of an escaped string. Unfortunately, PHP’s pdo_parse_params() does not validate this return value before dereferencing the pointer, leading to a NULL pointer dereference, a segmentation fault, and ultimately crashing the PHP worker process.

A remote attacker can exploit this vulnerability without requiring authentication by submitting a malformed character sequence through any application input field that reaches a prepared statement. This results in a straightforward Denial of Service condition, effectively taking down the PHP-FPM worker or the web server process handling that request. To mitigate this risk, users are advised to upgrade to a patched PHP release or disable PDO::ATTR_EMULATE_PREPARES in PostgreSQL connection settings, as suggested by Positive Technologies.

The second vulnerability, CVE-2025-14179 (High severity, CWE-89), affects PHP versions 8.2.x before 8.2.31, 8.3.x before 8.3.31, 8.4.x before 8.4.21, and 8.5.x before 8.5.6. This vulnerability presents a counterintuitive scenario: the PDO_Firebird quoting routine firebird_handle_quoter(), exposed via PDO::quote(), functions correctly and produces properly escaped output. However, the issue arises later during PDO::prepare(), when the driver reparses and reconstructs the SQL string token by token.

Tech Optimizer
PDO PostgreSQL Bug Triggers NULL Pointer Dereference and Crashes PHP Worker Processes