A recent examination of PHP’s database driver layer has unveiled two significant vulnerabilities that underscore the potential risks lurking within even the most established codebases. These flaws reside within PHP Data Objects (PDO), the abstraction layer that facilitates communication between web applications and databases such as Firebird and PostgreSQL. The intricacies of these drivers have allowed malicious inputs to bypass conventional security measures.
The first vulnerability pertains to the pdo_firebird driver, which inadvertently permits SQL injection attacks through the manipulation of NUL bytes embedded within properly quoted strings. The second issue affects the pdo_pgsql driver, responsible for PostgreSQL interactions, and can lead to application crashes, resulting in denial of service. Both vulnerabilities emerged from the driver layer’s reliance on assumptions about C string handling that do not consistently hold true.
Researchers Aleksey Solovev and Nikita Sveshnikov from PT Swarm identified these issues during a comprehensive audit of PDO and its associated drivers. Their investigation extended beyond PHP’s core codebase, delving into third-party client libraries that PDO relies on, revealing long-overlooked weaknesses.
According to a report shared by PT Swarm, the discovered flaws highlight that database security in PHP is influenced as much by the intricacies of driver internals as it is by the application code itself. The implications are considerable, given that Firebird and PostgreSQL are prevalent in production environments, ranging from internal tools to e-commerce platforms. A successful SQL injection could compromise sensitive records or completely bypass authentication mechanisms, while the denial of service vulnerability could be triggered by submitting malformed input, resulting in inconsistent database states.
Critical PHP PDO Driver Bugs
The first vulnerability, designated as CVE-2026-25289 and classified with high severity, revolves around how the pdo_firebird driver reconstructs SQL statements after they have been safely quoted. Developers often operate under the assumption that invoking PDO::quote prior to PDO::prepare guarantees safety; however, this research reveals that this pattern can be misleading. While the quoting process appears effective, a subsequent preprocessing stage can inadvertently disrupt the intended string boundaries.
The underlying issue stems from the driver’s use of the C function strncat, which ceases copying data upon encountering a NUL byte, disregarding the specified byte length. Consequently, if a quoted value contains a NUL byte, the closing quote is omitted during reconstruction, allowing attacker-controlled data to infiltrate executable SQL. In a proof of concept, this vulnerability enabled a UNION-based injection that exposed internal database version details that should remain confidential.
PHP maintainers have addressed this issue in a routine security release, revising the Firebird driver’s token-by-token reconstruction logic to employ a binary-safe method, replacing the previously unsafe NUL-terminated approach. Operators utilizing older, unpatched versions remain vulnerable until they implement the necessary updates.
Null Pointer Crash In PostgreSQL Driver
The second flaw, tracked as CVE-2026-25290 and rated moderate with a CVSS score of approximately 7.3, affects the pdo_pgsql driver when emulated prepared statements are explicitly enabled. Under this configuration, if a parameter contains an invalid multibyte character sequence for the active connection encoding, libpq fails silently, returning a NULL escaped string. PDO’s parser subsequently attempts to read the length of this NULL value, resulting in a null pointer dereference and an immediate segmentation fault.
This situation poses more than a mere inconvenience. In a scenario modeled by PT Swarm, an e-commerce checkout script processed a payment, deducted a customer’s balance, and then crashed while attempting to insert the order record due to a malformed byte sequence in a notes field. This led to a situation where the customer was charged without any order being created, thereby undermining trust and financial accuracy.
The fix, released in the same coordinated update, ensures that the driver verifies for a NULL escaped value before dereferencing it, transforming a critical crash into a manageable application error. Developers are strongly urged to update PHP across all supported branches.
Researchers also advocate for treating binary input as untrustworthy, avoiding unnecessary emulated prepare modes, and encapsulating financial workflows within atomic transactions rather than relying on default autocommit behavior. These findings serve as a reminder that web application security is contingent not only on the code developers write but also on the underlying runtime and native libraries.