CVE-2025-14180 in PHP
Summary
by MITRE • 12/27/2025
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2026
This vulnerability exists within the PHP PDO PostgreSQL driver implementation where specific character sequences in prepared statement parameters trigger a critical null pointer dereference condition. The flaw manifests when PDO::ATTR_EMULATE_PREPARES is enabled, creating a scenario where invalid character sequences such as the replacement character � cause the underlying PQescapeStringConn function to return NULL instead of properly escaped strings. This NULL return value subsequently propagates through the pdo_parse_params() function, resulting in a segmentation fault during execution. The vulnerability affects multiple PHP version streams including 8.1.x through 8.5.x, with specific patched versions identified for each major release line. The impact extends beyond simple crashes to potential denial of service conditions that can compromise server availability and stability.
The technical root cause stems from inadequate input validation and error handling within the PostgreSQL driver's parameter processing pipeline. When the PQescapeStringConn function encounters malformed character sequences that it cannot properly escape, it returns NULL rather than throwing an appropriate exception or handling the error gracefully. This NULL value then flows into the pdo_parse_params() function without proper null checking, leading to the inevitable null pointer dereference. The vulnerability represents a classic buffer overflow and memory management issue that falls under CWE-476, specifically addressing null pointer dereference conditions in database driver implementations. The flaw demonstrates poor defensive programming practices where error conditions are not properly handled before subsequent operations are performed on potentially invalid data structures.
The operational impact of this vulnerability is significant for systems relying on PHP with PostgreSQL database connections, particularly those implementing prepared statements with emulated prepares. An attacker could exploit this weakness by crafting malicious input parameters containing invalid character sequences that trigger the null pointer dereference, resulting in segmentation faults that crash the PHP process. This leads to immediate service disruption and potential denial of service conditions that can affect availability for legitimate users. The vulnerability is particularly concerning in high-traffic applications where repeated exploitation could cause sustained service interruptions, making it a critical concern for production environments. Systems utilizing PHP with PostgreSQL connections and emulated prepared statements are at risk, especially when processing untrusted input data.
Mitigation strategies should focus on immediate version upgrades to patched PHP releases, specifically targeting PHP 8.1.34, 8.2.30, 8.3.29, 8.4.16, and 8.5.1 or later versions that contain the necessary fixes. Organizations should also consider implementing input sanitization measures to filter out potentially problematic character sequences before they reach the database driver layer. Temporary workarounds may include disabling PDO::ATTR_EMULATE_PREPARES when connecting to PostgreSQL databases, though this may impact application functionality. Security monitoring should be enhanced to detect unusual segmentation fault patterns or process crashes that could indicate exploitation attempts. Additionally, implementing proper error handling and logging mechanisms around database operations can help identify when the vulnerability is being exploited. This vulnerability aligns with ATT&CK technique T1499.004, specifically targeting availability through application crash conditions, and represents a critical security gap that requires immediate attention from system administrators and security teams.