CVE-2025-1735

pgsql extension does not check for errors during escaping

Publication Date 2025-07-05
Severity Critical
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.32
  • 8.2.0-8.2.28
  • 8.3.0-8.3.22
  • 8.4.0-8.4.9
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendPHP 8.4
  • ZendServer 2021.4.3

CVE Details

A missing error check in the pgsql extension's escaping functionality could result in SQL injection, and missing error handling could lead to crashes due to null pointer dereferences.

Recommendations

If you use Postgres within your PHP application, and rely on it for escaping/quoting SQL, you should update to a version of PHP that corrects the issue immediately.

Also note that this fix is dependent on updated PostegreSQL client libraries on the system hosting PHP. Older Linux versions (such as RHEL 7.x, CentOS 7, Debian 10, Ubuntu 18.04) do not include this driver fix in the default operating system installation. Related to PostgreSQL CVE-2025-1094 (Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected).