Critical security vulnerabilities in PHP, identified as CVE-2025-1735 and CVE-2025-6491, pose risks for SQL injection attacks and denial of service (DoS) conditions. These vulnerabilities affect PHP versions below 8.1.33, 8.2.29, 8.3.23, and 8.4.10.
CVE-2025-1735 relates to the PostgreSQL extension, where insufficient error checking during string escaping can lead to SQL injection vulnerabilities and application crashes. This flaw is associated with PostgreSQL's CVE-2025-1094.
CVE-2025-6491 affects the SOAP extension, causing segmentation faults when a SoapVar instance has a namespace prefix exceeding 2GB, which can lead to application termination. This issue is linked to limitations in libxml2 versions prior to 2.13.
Patches are available for all affected PHP versions to mitigate these vulnerabilities. CVE-2025-1735 has a CVSS score of 9.1 (Critical), while CVE-2025-6491 has a CVSS score of 5.9 (Moderate).