ZendPHP December 2025 Releases

December 17, 2025

Community Changes

PHP Version PHP ZendPHP 8.5.1 Changes

Core
- Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). (ilutov)
- Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference).(nielsdos)
- Fixed bug GH-20085 (Assertion failure when combining lazy object get_properties exception with foreach loop). (nielsdos)
- Fixed bug GH-19844 (Don't bail when closing resources on shutdown). (ilutov)
- Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error). (ilutov)
- Fixed bug GH-20270 (Broken parent hook call with named arguments). (ilutov)
- Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval). (ilutov)
DOM
- Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work). (nielsdos)
- Fixed bug GH-20281 (\Dom\Document::getElementById() is inconsistent after nodes are removed). (nielsdos)
Exif
- Fix possible memory leak when tag is empty. (nielsdos)
FPM
- Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution). (Jakub Zelenka, txuna)
FTP
- Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes). (nielsdos)
GD
- Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided). (Girgias)
Intl
- Fix memory leak on error in locale_filter_matches(). (nielsdos)
LibXML
- Fix not thread safe schema/relaxng calls. (SpencerMalone, nielsdos)
MySQLnd
- Fixed bug GH-8978 (SSL certificate verification fails (port doubled)). (nielsdos)
- Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL). (nielsdos)
Opcache
- Fixed bug GH-20081 (access to uninitialized vars in preload_load()). (Arnaud)
- Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15). (Arnaud, Shivam Mathur)
- Fixed bug GH-19875 (JIT 1205 segfault on large file compiled in subprocess). (Arnaud)
- Fixed bug GH-20012 (heap buffer overflow in jit). (Arnaud)
- Partially fixed bug GH-17733 (Avoid calling wrong function when reusing file caches across differing environments). (ilutov)
PgSql
- Fix memory leak when first string conversion fails. (nielsdos)
- Fix segfaults when attempting to fetch row into a non-instantiable class name. (Girgias, nielsdos)
Phar
- Fix memory leak of argument in webPhar. (nielsdos)
- Fix memory leak when setAlias() fails. (nielsdos)
- Fix a bunch of memory leaks in phar_parse_zipfile() error handling. (nielsdos)
- Fix file descriptor/memory leak when opening central fp fails. (nielsdos)
- Fix memleak+UAF when opening temp stream in buildFromDirectory() fails. (nielsdos)
- Fix potential buffer length truncation due to usage of type int instead of type size_t. (Girgias)
- Fix memory leak when openssl polyfill returns garbage. (nielsdos)
- Fix file descriptor leak in phar_zip_flush() on failure. (nielsdos)
- Fix memory leak when opening temp file fails while trying to open gzip-compressed archive. (nielsdos)
- Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects). (nielsdos)
Random
- Fix Randomizer::__serialize() w.r.t. INDIRECTs. (nielsdos)
Reflection
- Fixed bug GH-20217 (ReflectionClass::isIterable() incorrectly returns true for classes with property hooks). (alexandre-daubois)
SimpleXML
- Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides to work). (nielsdos)
Streams
- Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64. (Jakub Zelenka)
Tidy
- Fixed GH-19021 (improved tidyOptGetCategory detection). (arjendekorte, David Carlier, Peter Kokot)
- Fix UAF in tidy when tidySetErrorBuffer() fails. (nielsdos)
XMLReader
- Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available. (nielsdos)
Windows
- Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket). (dktapps)

PHP Version PHP ZendPHP 8.4.16 Changes

Core
- Sync all boost.context files with release 1.86.0. (mvorisek)
- Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche)
- Fixed bug GH-20286 (use-after-destroy during userland stream_close()). (ndossche, David Carlier)
Bz2
- Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)
Date
- Fix crashes when trying to instantiate uninstantiable classes via date static constructors. (ndossche)
DOM
- Fix memory leak when edge case is hit when registering xpath callback. (ndossche)
- Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). (ndossche)
- Fix missing NUL byte check on C14NFile(). (ndossche)
Fibers
- Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). (David Carlier)
FTP
- Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)
GD
- Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier)
- Fixed bug GH-20602 (imagescale overflow with large height values). (David Carlier)
Intl
- Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). (DanielEScherzer)
LibXML
- Fix some deprecations on newer libxml versions regarding input buffer/parser handling. (ndossche)
MbString
- Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). (ndossche)
- Fixed bug GH-20492 (mbstring compile warning due to non-strings). (ndossche)
mysqli
- Make mysqli_begin_transaction() report errors properly. (Kamil Tekiela)
MySQLnd
- Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). (Remi)
Opcache
- Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud)
PDO
- Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) (Jakub Zelenka)
Phar
- Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). (ndossche, TimWolla)
- Fix broken return value of fflush() for phar file entries. (ndossche)
- Fix assertion failure when fseeking a phar file out of bounds. (ndossche)
PHPDBG
- Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). (Girgias)
SPL
- Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). (ndossche)
Standard
- Fix memory leak in array_diff() with custom type checks. (ndossche)
- Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche)
- Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
- Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
- Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)
Streams
- Fixed bug GH-20370 (User stream filters could violate typed property constraints). (alexandre-daubois)
Tidy
- Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)
XML
- Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche)
Zip
- Fix crash in property existence test. (ndossche)
- Don't truncate return value of zip_fread() with user sizes. (ndossche)
Zlib
- Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

PHP Version PHP 8.3.29 Changes

Core
- Sync all boost.context files with release 1.86.0. (mvorisek)
- Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche)
- Fixed bug GH-20286 (use-after-destroy during userland stream_close()). (ndossche, David Carlier)
Bz2
- Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)
Date
- Fix crashes when trying to instantiate uninstantiable classes via date static constructors. (ndossche)
DOM
- Fix missing NUL byte check on C14NFile(). (ndossche)
Fibers
- Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). (David Carlier)
FTP
- Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)
GD
- Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier)
- Fixed bug GH-20602 (imagescale overflow with large height values). (David Carlier)
Intl
- Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). (DanielEScherzer)
LibXML
- Fix some deprecations on newer libxml versions regarding input buffer/parser handling. (ndossche)
MbString
- Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). (ndossche)
- Fixed bug GH-20492 (mbstring compile warning due to non-strings). (ndossche)
mysqli
- Make mysqli_begin_transaction() report errors properly. (Kamil Tekiela)
MySQLnd
- Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). (Remi)
Opcache
- Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud)
PDO
- Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) (Jakub Zelenka)
Phar
- Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). (ndossche, TimWolla)
- Fix broken return value of fflush() for phar file entries. (ndossche)
- Fix assertion failure when fseeking a phar file out of bounds. (ndossche)
PHPDBG
- Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). (Girgias)
SPL
- Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). (ndossche)
Standard
- Fix memory leak in array_diff() with custom type checks. (ndossche)
- Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche)
- Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
- Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
- Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)
Tidy
- Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)
XML
- Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche)
Zip
- Fix crash in property existence test. (ndossche)
- Don't truncate return value of zip_fread() with user sizes. (ndossche)
Zlib
- Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche)

PHP Version PHP 8.2.30 Changes

Curl
- Fix curl build and test failures with version 8.16. (nielsdos, ilutov, Jakub Zelenka)
Opcache
- Reset global pointers to prevent use-after-free in zend_jit_status(). (Florian Engelhardt)
PDO
- Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) (Jakub Zelenka)
Standard
- Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
- Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
- Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)

PHP Version PHP 8.1.34 Changes

Curl
- Fix curl build and test failures with version 8.16. (nielsdos, ilutov, Jakub Zelenka)
Opcache
- Reset global pointers to prevent use-after-free in zend_jit_status(). (Florian Engelhardt)
PDO
- Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) (Jakub Zelenka)
Standard
- Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche)
- Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche)
- Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche)

Featured Product

ZendPHP

2025 PHP Landscape Report

ZendPHP December 2025 Releases

Community Changes