CVE-2025-14179
SQL injection in pdo_firebird via NUL bytes in quoted strings
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
9th
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
| CWE | CWE-89 |
| Vendor | php group |
| Product | php |
| Published | May 10, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for php group php
Be the first to know when new unknown vulnerabilities affecting php group php are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
PHP Group / PHP
8.2.* < 8.2.31 8.3.* < 8.3.31 8.4.* < 8.4.21 8.5.* < 8.5.6
References
Credits
Aleksey Solovev (Positive Technologies) Nikita Sveshnikov (Positive Technologies) Ilija Tovilo Arnaud Le Blanc Saki Takamachi