Community CVE Fixes

PHP version 8.4.5, 8.3.19 CVE fixes

  • Core

    • Fixed GHSA-rwp7-7vc6-8477: Reference counting in php_request_shutdown causes Use-After-Free. (CVE-2024-11235)

  • LibXML

    • Fixed GHSA-p3x9-6h7p-cgfc: libxml streams use wrong content-type header when requesting a redirected resource. (CVE-2025-1219)

  • Streams

    • Fixed GHSA-hgf54-96fm-v528: Stream HTTP wrapper header check might omit basic auth header. (CVE-2025-1736)
    • Fixed GHSA-52jp-hrpf-2jff: Stream HTTP wrapper truncate redirect location to 1024 bytes. (CVE-2025-1861)
    • Fixed GHSA-pcmh-g36c-qc44: Streams HTTP wrapper does not fail for headers without colon. (CVE-2025-1734)
    • Fixed GHSA-v8xr-gpvj-cx9g: Header parser of http stream wrapper does not handle folded headers. (CVE-2025-1217)

PHP version 8.2.28, 8.1.32 CVE fixes

  • LibXML

    • Fixed GHSA-p3x9-6h7p-cgfc: libxml streams use wrong content-type header when requesting a redirected resource. (CVE-2025-1219)

  • Streams

    • Fixed GHSA-hgf54-96fm-v528: Stream HTTP wrapper header check might omit basic auth header. (CVE-2025-1736)
    • Fixed GHSA-52jp-hrpf-2jff: Stream HTTP wrapper truncate redirect location to 1024 bytes. (CVE-2025-1861)
    • Fixed GHSA-pcmh-g36c-qc44: Streams HTTP wrapper does not fail for headers without colon. (CVE-2025-1734)
    • Fixed GHSA-v8xr-gpvj-cx9g: Header parser of http stream wrapper does not handle folded headers. (CVE-2025-1217)

Community Changes

PHP version 8.4.5 changes

  • BCMath

    • Fixed bug GH-17398: bcmul memory leak.

  • Core

    • Fixed bug GH-17623: Broken stack overflow detection for variable compilation.
    • Fixed bug GH-17618: UnhandledMatchError does not take zend.exception_ignore_args=1 into account.
    • Fix fallback paths in fast_long_{add,sub}_function.
    • Fixed bug OSS-Fuzz #391975641: Crash when accessing property backing value by reference.
    • Fixed bug GH-17718: Calling static methods on an interface that has __callStatic is allowed.
    • Fixed bug GH-17713: ReflectionProperty::getRawValue() and related methods may call hooks of overridden properties.
    • Fixed bug GH-17916: Final abstract properties should error.
    • Fixed bug GH-17866: zend_mm_heap corrupted error after upgrading from 8.4.3 to 8.4.4.

  • DOM

    • Fixed bug GH-17609: Typo in error message: Dom\NO_DEFAULT_NS instead of Dom\HTML_NO_DEFAULT_NS.
    • Fixed bug GH-17802: \Dom\HTMLDocument querySelector attribute name is case sensitive in HTML.
    • Fixed bug GH-17847: xinclude destroys live node.
    • Fix using Dom\Node with Dom\XPath callbacks.

  • GD

    • Fixed bug GH-17703: imagescale with both width and height negative values triggers only an Exception on width.

  • FFI

    • Fix FFI Parsing of Pointer Declaration Lists.

  • FPM

    • Fixed bug GH-17643: FPM with httpd ProxyPass encoded PATH_INFO env.

  • GD

    • Fixed bug GH-17772: imagepalettetotruecolor crash with memory_limit=2M.

  • LDAP

    • Fixed bug GH-17704: ldap_search fails when $attributes contains a non-packed array with numerical keys.

  • LibXML

    • Fixed GHSA-wg4p-4hqh-c3g9: Reoccurrence of #72714.

  • MBString

    • Fixed bug GH-17503: Undefined float conversion in mb_convert_variables.

  • Opcache

    • Fixed bug GH-17654: Multiple classes using same trait causes function JIT crash.
    • Fixed bug GH-17577: JIT packed type guard crash.
    • Fixed bug GH-17747: Exception on reading property in register-based FETCH_OBJ_R breaks JIT.
    • Fixed bug GH-17715: Null pointer deref in observer API when calling cases() method on preloaded enum.
    • Fixed bug GH-17868: Cannot allocate memory with tracing JIT on 8.4.4.

  • PDO_SQLite

    • Fixed GH-17837: ()::getColumnMeta() on unexecuted statement segfaults.
    • Fix cycle leak in sqlite3 setAuthorizer().
    • Fix memory leaks in pdo_sqlite callback registration.

  • Phar

    • Fixed bug GH-17808: PharFileInfo refcount bug.

  • PHPDBG

    • Partially fixed bug GH-17387: Trivial crash in phpdbg lexer.
    • Fix memory leak in phpdbg calling registered function.

  • Reflection

    • Fixed bug GH-15902: Core dumped in ext/reflection/php_reflection.c.
    • Fixed missing final and abstract flags when dumping properties.

  • Standard

    • Fixed bug #72666: stat cache clearing inconsistent between file:// paths and plain paths.

  • Streams

    • Fixed bug GH-17650: realloc with size 0 in user_filters.c.
    • Fix memory leak on overflow in _php_stream_scandir().

  • Windows

    • Fixed phpize for Windows 11 (24H2).
    • Fixed GH-17855: CURL_STATICLIB flag set even if linked with shared lib.

  • Zlib

    • Fixed bug GH-17745: zlib extension incorrectly handles object arguments.
    • Fix memory leak when encoding check fails.
    • Fix zlib support for large files.

PHP version 8.3.19 changes

  • BCMath

    • Fixed bug GH-17398: bcmul memory leak.

  • Core

    • Fixed bug GH-17623: Broken stack overflow detection for variable compilation.
    • Fixed bug GH-17618: UnhandledMatchError does not take zend.exception_ignore_args=1 into account.
    • Fix fallback paths in fast_long_{add,sub}_function.
    • Fixed bug GH-17718: Calling static methods on an interface that has __callStatic is allowed.
    • Fixed bug GH-17797: zend_test_compile_string crash on invalid script path.

  • DOM

    • Fixed bug GH-17847: xinclude destroys live node.

  • FFI

    • Fix FFI Parsing of Pointer Declaration Lists.

  • FPM

    • Fixed bug GH-17643: FPM with httpd ProxyPass encoded PATH_INFO env.

  • GD

    • Fixed bug GH-17772: imagepalettetotruecolor crash with memory_limit=2M.

  • LDAP

    • Fixed bug GH-17704: ldap_search fails when $attributes contains a non-packed array with numerical keys.

  • LibXML

    • Fixed GHSA-wg4p-4hqh-c3g9: Reoccurrence of #72714.

  • MBString

    • Fixed bug GH-17503: Undefined float conversion in mb_convert_variables.

  • Opcache

    • Fixed bug GH-17654: Multiple classes using same trait causes function JIT crash.
    • Fixed bug GH-17577: JIT packed type guard crash.
    • Fixed bug GH-17899: zend_test_compile_string with invalid path when opcache is enabled.
    • Fixed bug GH-17868: Cannot allocate memory with tracing JIT.

  • PDO_SQLite

    • Fixed GH-17837: ()::getColumnMeta() on unexecuted statement segfaults.
    • Fix cycle leak in sqlite3 setAuthorizer().

  • Phar

    • Fixed bug GH-17808: PharFileInfo refcount bug.

  • PHPDBG

    • Partially fixed bug GH-17387: Trivial crash in phpdbg lexer.
    • Fix memory leak in phpdbg calling registered function.

  • Reflection

    • Fixed bug GH-15902: Core dumped in ext/reflection/php_reflection.c.

  • Standard

    • Fixed bug #72666: stat cache clearing inconsistent between file:// paths and plain paths.

  • Streams

    • Fixed bug GH-17650: realloc with size 0 in user_filters.c.
    • Fix memory leak on overflow in _php_stream_scandir().

  • Windows

    • Fixed phpize for Windows 11 (24H2).
    • Fixed GH-17855: CURL_STATICLIB flag set even if linked with shared lib.

  • Zlib

    • Fixed bug GH-17745: zlib extension incorrectly handles object arguments.
    • Fix memory leak when encoding check fails.
    • Fix zlib support for large files.

PHP version 8.2.28 changes

  • Core

    • Fixed bug GH-17211: observer segfault on function loaded with dl().

  • LibXML

    • Fixed GHSA-wg4p-4hqh-c3g9: Reocurrence of #72714.

  • Windows

    • Fixed phpize for Windows 11 (24H2).

PHP version 8.1.32 changes

  • LibXML

    • Fixed GHSA-wg4p-4hqh-c3g9: Reocurrence of #72714.

  • Windows

    • Fixed phpize for Windows 11 (24H2).