Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Explore Training
Submit support requests and browse self-service resources.
Explore Support
CVE-2022-31625 php: uninitialized array in pg_query_params() leading to RCE
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
Validate any parameters you are passing to a parameterized Postgres query to ensure they are correct for the context.
If using the Postgres database extension, we highly recommend updating to PHP 8.1.7, 8.0.20, 7.4.30, ZendPHP 7.3, ZendPHP 7.2, ZendPHP 7.1, or ZendPHP 5.6, all of which contain a patch for this vulnerability.
Direct link to CVE-2022-31625 >
< View all CVEs