Critical security vulnerabilities have emerged within PHP, posing significant risks that could enable attackers to execute SQL injection attacks and induce denial of service (DoS) conditions. Two vulnerabilities, identified as CVE-2025-1735 and CVE-2025-6491, affect various PHP versions and necessitate immediate attention and patching.
Key Takeaways
1. CVE-2025-1735 (PostgreSQL) and CVE-2025-6491 (SOAP) affect versions below 8.1.33, 8.2.29, 8.3.23, and 8.4.10.
2. PostgreSQL extension flaw enables SQL injection due to missing error checking in escape functions.
3. SOAP extension crashes when processing oversized namespace prefixes (>2GB), causing segmentation faults.
4. Upgrade to patched versions to prevent SQL injection and service disruption attacks.
The vulnerabilities impact PHP installations running versions prior to 8.1.33, 8.2.29, 8.3.23, and 8.4.10, with patches now available for all affected branches.
PostgreSQL Extension Vulnerability
The first vulnerability, CVE-2025-1735, concerns PHP’s PostgreSQL extension and arises from insufficient error checking during string escaping operations. This flaw is particularly critical as it occurs when PHP employs escape functions without adequately handling error parameters, specifically neglecting to pass these parameters to the PQescapeStringConn() function.
This lack of error checking can lead to SQL injection vulnerabilities and application crashes due to null pointer dereferences. The vulnerability is intrinsically linked to PostgreSQL’s CVE-2025-1094, which was initially reported to the PostgreSQL project.
Security researchers have identified that PHP’s implementation fails to provide proper error reporting during escape operations, potentially leaving applications exposed even when PostgreSQL attempts to trigger server-side errors for improperly encoded strings. Furthermore, multiple calls to PQescapeIdentifier() do not check for NULL return values, which is the recognized method for error reporting. This oversight could lead to undefined behavior or application crashes across various code paths.
SOAP Extension Flaw
The second vulnerability, CVE-2025-6491, impacts PHP’s SOAP extension and has the potential to cause segmentation faults, resulting in denial of service. This flaw becomes apparent when a SoapVar instance is created with a fully qualified name exceeding 2GB, leading to a null pointer dereference that can terminate the application immediately.
The issue arises from limitations in libxml2 versions prior to 2.13, which are unable to handle calls to xmlNodeSetName() with names longer than 2GB. Consequently, this leaves XML node objects in an invalid state with NULL names, causing crashes during message serialization.
The attack vector involves crafting a malicious SoapVar object with an oversized namespace prefix, as illustrated in proof-of-concept code that triggers a segmentation fault via the xmlBuildQName() function. This vulnerability carries a CVSS score of 5.9, indicating moderate severity but a significant potential for service disruption.
| CVEs | Description | Affected Products | CVSS 3.1 Score |
| CVE-2025-1735 | PostgreSQL extension SQL injection vulnerability | PHP versions < 8.1.33, 8.2.29, 8.3.23, 8.4.10 | 9.1 (Critical) |
| CVE-2025-6491 | SOAP Extension Denial of Service Vulnerability | PHP versions < 8.1.33, 8.2.29, 8.3.23, 8.4.10, PHP <= 8.5.0-dev with libxml2 < 2.13 | 5.9 (Moderate) |
Ahmed Leksa from the Qatar Computing Research Institute uncovered this vulnerability, which impacts any PHP installation with the SOAP extension enabled. Administrators are strongly urged to promptly update to patched versions: 8.1.33, 8.2.29, 8.3.23, or 8.4.10. These updates rectify both vulnerabilities and restore proper error-handling mechanisms in the affected extensions.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
