CVE-2025-6491

NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix

Publication Date	2025-07-05
Severity	Critical
Type	Cross-Site Request Forgery
Affected PHP Versions	7.2.0-7.2.34 7.3.0-7.3.33 7.4.0-7.4.33 8.0.0-8.0.30 8.1.0-8.1.32 8.2.0-8.2.28 8.3.0-8.3.22 8.4.0-8.4.9
Fixed Product Versions	ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendPHP 8.4 ZendServer 2021.4.3

CVE Details

In all PHP versions prior to 8.1, PHP versions 8.1.0-8.1.32, 8.2.0-8.2.28, 8.3.0-8.3.22, and 8.4.0-8.4.9, when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

Recommendations

SOAP XML parsing generally happens within the SoapClient or SoapServer classes, which do not provide options for pre-validation of the XML. If you are consuming or providing a SOAP service, we recommend either using a 3rd party library such as phpro/soap-client to mitigate this issue, or updating to a version of PHP that patches this vulnerability.

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations