Urgent PHP Security Update: Protect Your Website from Critical Vulnerabilities!
Attention PHP users! It’s time to take action and update your server immediately. Two critical security vulnerabilities have been discovered in PHP that could jeopardize the safety of your website or application. These flaws may allow malicious attackers to execute SQL injection attacks or completely crash your services.
The vulnerabilities are identified as CVE-2025-1735 and CVE-2025-6491. Affected versions of PHP have been identified, and patches are now available. Updating your PHP version is essential to ensure your website remains secure.
1. CVE-2025-1735 – SQL Injection Risk through PostgreSQL Extension
This vulnerability is particularly alarming. It impacts the PostgreSQL extension in PHP and arises from PHP’s failure to properly validate errors when escaping strings.
When your application interacts with a PostgreSQL database, PHP should sanitize the data to prevent SQL injection attacks. Unfortunately, PHP does not pass error-checking parameters to the escape function, meaning that the system remains unaware of any issues. This oversight enables attackers to inject dangerous SQL commands.
Moreover, this bug is related to a known vulnerability in PostgreSQL itself (CVE-2025-1094). PHP’s handling of errors exacerbates the situation, as it continues processing even when the escape function returns a NULL value, which can lead to application crashes or unpredictable behavior.
This vulnerability has a CVSS score of 9.1, indicating it is critical and should not be ignored.
2. CVE-2025-6491 – SOAP Extension Crash Vulnerability
The second vulnerability targets PHP’s SOAP extension. If an attacker creates a SoapVar object with a name exceeding 2GB, it triggers an immediate crash of PHP.
This problem occurs because older versions of libxml2 (which PHP relies on) cannot process names of such length. Consequently, PHP attempts to use a NULL name value, resulting in a segmentation fault that crashes the application.
This issue leads to a Denial of Service (DoS) vulnerability, with a CVSS score of 5.9. While this may seem moderate, the impact can be severe for applications that depend on SOAP.
Who Is Impacted and Immediate Actions to Take
If your server is running any PHP version earlier than 8.1.33, 8.2.29, 8.3.23, or 8.4.10, you are at risk. Additionally, even early versions of PHP 8.5.0-dev are vulnerable if used with older libxml2 versions.
These vulnerabilities affect any server with the PostgreSQL or SOAP extensions enabled.
To safeguard your server and applications, update your PHP version immediately to one of the following patched versions: PHP 8.1.33, PHP 8.2.29, PHP 8.3.23, or PHP 8.4.10. These versions address both vulnerabilities and ensure proper error handling is restored.
