SQL injection in pdo_firebird via NUL bytes in quoted strings

7.4 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

Basic Information

ID CVE-2025-14179

Source php

Published May 10, 2026 at 03:51

Affected Product

Vendor PHP Group

Product PHP

Version 8.2.*

Affected Versions PHP Group PHP 8.2.*
PHP Group PHP 8.3.*
PHP Group PHP 8.4.*
PHP Group PHP 8.5.*

CWE Classification

CWE-89

References

github.com /php/php-src/security/advisories/GHSA-w476-322c-wpvm

{
    "lastseen": "",
    "description": "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL\u00a0statements.",
    "published": "2026-05-10T03:51:14.596Z",
    "modified": "2026-05-10T03:51:14.596Z",
    "type": "cve",
    "title": "SQL injection in pdo_firebird via NUL bytes in quoted strings",
    "source": "php",
    "references": "https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm",
    "id": "CVE-2025-14179",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "PHP Group PHP 8.2.*\nPHP Group PHP 8.3.*\nPHP Group PHP 8.4.*\nPHP Group PHP 8.5.*",
    "sourceHref": "",
    "cvss": {
        "score": 7.4,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PHP",
    "version": "8.2.*",
    "vendor": "PHP Group",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

SQL injection in pdo_firebird via NUL bytes in quoted strings_CVE-2025-14179