Critical security vulnerabilities have been discovered in PHP that could allow attackers to execute SQL injection attacks and cause denial of service (DoS) conditions.
Two distinct vulnerabilities, assigned CVE-2025-1735 and CVE-2025-6491, affect multiple PHP versions and require immediate patching.
The flaws impact PHP installations running versions prior to 8.1.33, 8.2.29, 8.3.23, and 8.4.10, with patches now available for all affected branches.
PostgreSQL Extension Vulnerability
The first vulnerability, CVE-2025-1735, affects PHPβs PostgreSQL extension and stems from inadequate error checking during string escaping operations.
The flaw occurs when PHP uses escape functions without proper error parameter handling, specifically failing to pass error parameters to the PQescapeStringConn() function.
This missing error checking could result in SQL injection vulnerabilities and application crashes due to null pointer dereferences.
The vulnerability is directly related to PostgreSQLβs CVE-2025-1094, originally reported to the PostgreSQL project.
Security researchers discovered that PHPβs implementation doesnβt allow for proper error reporting during escape operations, potentially leaving applications vulnerable even when PostgreSQL attempts to trigger server-side errors for invalidly encoded strings.
Additionally, multiple calls to PQescapeIdentifier() fail to check for NULL return values, which represents the documented method for error reporting.
This oversight could lead to undefined behavior (UB) or application crashes in various code paths.
SOAP Extension Flaw
The second vulnerability, CVE-2025-6491, affects PHPβs SOAP extension and can cause segmentation faults leading to denial of service.
The flaw manifests when a SoapVar instance is created with a fully qualified name exceeding 2GB in size, triggering a null pointer dereference that results in immediate application termination.
The vulnerability occurs due to limitations in libxml2 versions prior to 2.13, which cannot properly handle calls to xmlNodeSetName() with names longer than 2GB.
This leaves XML node objects in an invalid state with NULL names, subsequently causing crashes during message serialization.
The attack vector involves creating a malicious SoapVar object with an oversized namespace prefix, as demonstrated in the proof-of-concept code that generates a segmentation fault through the xmlBuildQName() function.
The vulnerability carries a CVSS score of 5.9, indicating moderate severity but significant potential for service disruption.
| CVEs | Description | Affected Products | CVSS 3.1 Score |
| CVE-2025-1735 | PostgreSQL extension SQL injection vulnerability | PHP versions < 8.1.33PHP versions < 8.2.29PHP versions < 8.3.23PHP versions < 8.4.10 | 9.1 (Critical) |
| CVE-2025-6491 | SOAP Extension Denial of Service Vulnerability | PHP versions < 8.1.33PHP versions < 8.2.29PHP versions < 8.3.23PHP versions < 8.4.10PHP <= 8.5.0-dev with libxml2 < 2.13 |
Ahmed Leksa, from Qatar Computing Research Institute, discovered this vulnerability, which affects any PHP installation with the SOAP extension enabled.
Administrators should immediately update to patched versions: 8.1.33, 8.2.29, 8.3.23, or 8.4.10. These updates address both vulnerabilities and restore proper error-handling mechanisms in the affected extensions.