Critical severity9.8NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2025-14179

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

Affected products

PHP/Php Srcinferred
Range: >=8.2.0,<8.2.31, >=8.3.0,<8.3.31, >=8.4.0,<8.4.21, >=8.5.0,<8.5.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvmnvdVendor Advisory

News mentions

Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000