Critical severity9.8NVD Advisory· Published May 10, 2026· Updated May 12, 2026
CVE-2025-14179
CVE-2025-14179
Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8- osv-coords6 versionspkg:apk/chainguard/php-8.2pkg:apk/wolfi/php-8.2pkg:bitnami/libphppkg:bitnami/phppkg:bitnami/php-minpkg:rpm/opensuse/php8&distro=openSUSE%20Tumbleweed
< 8.2.31-r0+ 5 more
- (no CPE)range: < 8.2.31-r0
- (no CPE)range: < 8.2.31-r0
- (no CPE)range: >= 8.2.0, < 8.2.31
- (no CPE)range: >= 8.2.0, < 8.2.31
- (no CPE)range: >= 8.2.0, < 8.2.31
- (no CPE)range: < 8.5.6-1.1
Patches
Vulnerability mechanics
References
1- github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvmnvdVendor Advisory
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026