information disclosure

Tech Optimizer
July 7, 2026
Researchers at Positive Technologies have identified two significant vulnerabilities in the PHP Data Objects (PDO) extension layer, both posing high severity risks. The first vulnerability (CVE-2025-14180) leads to a NULL pointer dereference, causing PHP worker processes to crash. It affects PHP versions 8.1.x prior to 8.1.34, 8.2.x before 8.2.30, 8.3.x before 8.3.29, 8.4.x before 8.4.16, and 8.5.x before 8.5.1. This issue occurs when the pdo_pgsql driver operates with PDO::ATTR_EMULATE_PREPARES enabled, allowing a remote attacker to exploit it without authentication by submitting malformed character sequences. The second vulnerability (CVE-2025-14179) allows for SQL injection and affects PHP versions 8.2.x before 8.2.31, 8.3.x before 8.3.31, 8.4.x before 8.4.21, and 8.5.x before 8.5.6. It arises from a mishandling of NUL bytes in the Firebird driver during the PDO::prepare() process, despite the quoting routine functioning correctly. Additionally, the audit revealed an integer overflow in PostgreSQL’s libpq client library and an information disclosure flaw in Firebird 3’s fbclient.
Search