CVE-2025-14179 HIGH

CVE-2025-14179: SQL injection in pdo_firebird via NUL bytes in quoted strings

Vendor Php Group
Product PHP
Weakness CWE-89 · SQLi
Published May 10, 2026
Last update June 30, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber

What the vulnerability does

01Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

Key dates

02Disclosure timeline

May 10, 2026 CVE published
June 30, 2026 Record updated