Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks
Critical security vulnerabilities have been discovered in PHP that could allow attackers to execute SQL injection attacks and cause denial of service (DoS) conditions.
Two distinct vulnerabilities, assigned CVE-2025-1735 and CVE-2025-6491, affect multiple PHP versions and require immediate patching.
Key Takeaways
1. CVE-2025-1735 (PostgreSQL) and CVE-2025-6491 (SOAP) affect versions below 8.1.33, 8.2.29, 8.3.23, and 8.4.10.
2. PostgreSQL extension flaw enables SQL injection due to missing error checking in escape functions.
3. SOAP extension crashes when processing oversized namespace prefixes (>2GB), causing segmentation faults.
4. Upgrade to patched versions to prevent SQL injection and service disruption attacks.
The flaws impact PHP installations running versions prior to 8.1.33, 8.2.29, 8.3.23, and 8.4.10, with patches now available for all affected branches.
PostgreSQL Extension Vulnerability
The first vulnerability, CVE-2025-1735, affects PHP’s PostgreSQL extension and stems from inadequate error checking during string escaping operations.
The flaw occurs when PHP uses escape functions without proper error parameter handling, specifically failing to pass error parameters to the PQescapeStringConn() function.
This missing error checking could result in SQL injection vulnerabilities and application crashes due to null pointer dereferences.
The vulnerability is directly related to PostgreSQL’s CVE-2025-1094, originally reported to the PostgreSQL project.
Security researchers discovered that PHP’s implementation doesn’t allow for proper error reporting during escape operations, potentially leaving applications vulnerable even when PostgreSQL attempts to trigger server-side errors for invalidly encoded strings.
Additionally, multiple calls to PQescapeIdentifier() fail to check for NULL return values, which represents the documented method for error reporting.
This oversight could lead to undefined behavior (UB) or application crashes in various code paths.
SOAP Extension Flaw
The second vulnerability, CVE-2025-6491, affects PHP’s SOAP extension and can cause segmentation faults leading to denial of service.
The flaw manifests when a SoapVar instance is created with a fully qualified name exceeding 2GB in size, triggering a null pointer dereference that results in immediate application termination.
The vulnerability occurs due to limitations in libxml2 versions prior to 2.13, which cannot properly handle calls to xmlNodeSetName() with names longer than 2GB.
This leaves XML node objects in an invalid state with NULL names, subsequently causing crashes during message serialization.
The attack vector involves creating a malicious SoapVar object with an oversized namespace prefix, as demonstrated in the proof-of-concept code that generates a segmentation fault through the xmlBuildQName() function.
The vulnerability carries a CVSS score of 5.9, indicating moderate severity but significant potential for service disruption.
CVEs | Description | Affected Products | CVSS 3.1 Score |
CVE-2025-1735 | PostgreSQL extension SQL injection vulnerability | PHP versions < 8.1.33PHP versions < 8.2.29PHP versions < 8.3.23PHP versions < 8.4.10 | 9.1 (Critical) |
CVE-2025-6491 | SOAP Extension Denial of Service Vulnerability | PHP versions < 8.1.33PHP versions < 8.2.29PHP versions < 8.3.23PHP versions < 8.4.10PHP <= 8.5.0-dev with libxml2 < 2.13 | 5.9 (Moderate) |
Ahmed Leksa, from Qatar Computing Research Institute, discovered this vulnerability, which affects any PHP installation with the SOAP extension enabled.
Administrators should immediately update to patched versions: 8.1.33, 8.2.29, 8.3.23, or 8.4.10. These updates address both vulnerabilities and restore proper error-handling mechanisms in the affected extensions.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link