CVE-2025-14180

NULL pointer dereference in PDO PostgreSQL driver

Publication Date 2025-12-27
Severity High
Type Information Disclosure
Affected PHP Versions
  • 8.1.0-8.1.33
  • 8.2.0-8.2.29
  • 8.3.0-8.3.29
  • 8.4.0-8.4.16
  • 8.5.0-8.5.1
Fixed Product Versions
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendPHP 8.5

CVE Details

When the PDO (PHP Data Objects) PostgreSQL driver is configured with PDO::ATTR_EMULATE_PREPARES enabled, a remote attacker can exploit a vulnerability by providing an invalid character sequence within a prepared statement parameter. This can cause a null pointer dereference, leading to a server crash. The primary impact is a Denial of Service (DoS), affecting the availability of the target server.

Recommendations

Users of the affected versions should upgrade to PHP 8.1.34, 8.2.30, 8.3.29, 8.4.16, 8.5.1 or later. Alternatively, users may disable PDO::ATTR_EMULATE_PREPARES in their PostgreSQL connection settings as a mitigation strategy.

Note: PHP 7.2, 7.3, 7.4, and 8.0 were analyzed, and it was determined that no fixes were required for these versions.