CVE-2025-14180

Published: Dec 27, 2025

Modified: Dec 29, 2025

PUBLISHED

Description

In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.

Vendor	Product	Versions
PHP Group	PHP	affected `8.1.* - < 8.1.34` affected `8.2.* - < 8.2.30` affected `8.3.* - < 8.3.29` affected `8.4.* - < 8.4.16` affected `8.5.* - < 8.5.1`

Weaknesses (CWE)

CWE-476

References

https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-14180

Description

Affected Products

Weaknesses (CWE)

References