CVE-2025-14177

Information disclosure via getimagesize() function when reading multi-chunk images

Publication Date 2025-12-27
Severity Moderate
Type Information Disclosure
Affected PHP Versions
  • 7.1.0-7.1.34
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.33
  • 8.2.0-8.2.29
  • 8.3.0-8.3.29
  • 8.4.0-8.4.16
  • 8.5.0-8.5.1
Fixed Product Versions
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendPHP 8.5
  • ZendServer 2021.4.4

CVE Details

The getimagesize() function may leak uninitialized heap memory when processing images in multi-chunk mode, such as through php://filter. This vulnerability, caused by a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, allows an attacker to potentially disclose sensitive information from the server's memory. This could compromise the confidentiality of data on the affected server.

Recommendations

If your application does not use GD library, no action is required. However, if you do, and you are using getimagesize(), do not use it directly on stream handles, and instead save the image to a temporary file first, before using the function. If this is not possible due to performance or other reasons, we recommend upgrading to a known patched version immediately.