CVE-2025-14178 in PHP
Summary
by MITRE • 12/27/2025
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2026
The vulnerability CVE-2025-14178 represents a critical heap buffer overflow in PHP's array_merge() function that affects multiple PHP version streams including 8.1.x through 8.5.x. This flaw stems from an integer overflow condition that occurs during the precomputation phase of element counts when processing packed arrays. The vulnerability specifically manifests when the total element count of packed arrays exceeds either 32-bit limits or HT_MAX_SIZE constants, creating a scenario where memory boundaries are exceeded during array operations. The root cause lies in the zend_hash_num_elements() function which performs precomputation calculations without proper overflow checking, leading to miscalculations in memory allocation for the merged array structure.
The technical impact of this vulnerability extends beyond simple memory corruption to potentially enable remote code execution or denial of service conditions depending on the attack vector and system configuration. When the integer overflow occurs during the element count precomputation, the system allocates insufficient memory for the resulting array structure, creating heap corruption that can be exploited by malicious actors to manipulate memory layout or cause application crashes. The vulnerability is particularly dangerous in web applications that process user-supplied array data through array_merge() operations, as attackers can craft specific input sequences that trigger the overflow condition. This type of vulnerability aligns with CWE-129 and CWE-787, representing issues related to insufficient bounds checking and buffer overflow conditions in memory management.
The operational impact of CVE-2025-14178 affects any PHP application running on the vulnerable versions, particularly those handling large datasets or user input through array operations. Web applications, content management systems, and frameworks that rely heavily on array manipulation functions become vulnerable to exploitation, potentially leading to complete system compromise or service disruption. The vulnerability affects the integrity and availability of target servers by creating conditions where legitimate memory operations can be corrupted or where the application crashes due to memory allocation failures. Attackers can leverage this vulnerability through crafted array inputs that cause the integer overflow during array_merge() execution, making it a significant concern for organizations running PHP-based web services. The issue is further complicated by the fact that the vulnerability exists across multiple PHP version streams, requiring comprehensive patch management across all affected deployments.
Mitigation strategies for CVE-2025-14178 primarily focus on immediate patch application to the affected PHP versions, with administrators prioritizing updates to PHP 8.1.34, 8.2.30, 8.3.29, 8.4.16, and 8.5.1 respectively. Organizations should also implement input validation measures to limit array sizes and prevent malicious array construction that could trigger the overflow condition. Additionally, monitoring systems should be configured to detect unusual array operations or memory allocation patterns that might indicate exploitation attempts. The vulnerability's classification under ATT&CK technique T1190 and T1059 demonstrates its potential for exploitation through application layer attacks, requiring security teams to implement defensive measures such as web application firewalls and runtime application self-protection mechanisms. System administrators should also consider implementing network segmentation and access controls to limit the potential impact of successful exploitation attempts.