CVE-2025-14179

Invalid NULL byte handling in Firebird prepared queries

Publication Date 2026-05-10
Severity High
Type SQL Injection
Affected PHP Versions
  • 8.1.0-8.1.34
  • 8.2.0-8.2.30
  • 8.3.0-8.3.30
  • 8.4.0-8.4.20
  • 8.5.0-8.5.5
Fixed Product Versions
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendPHP 8.5

CVE Details

The PDO Firebird driver in PHP improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

Recommendations

Implement input validation to detect and remove NUL bytes from values passed to prepared statements, particularly when using the Firebird database extension.

If possible, update to a patched version of PHP.