Security researchers have disclosed two significant vulnerabilities in PHP, the popular server-side scripting language, that could allow attackers to launch SQL injection (SQLi) and Denial of Service (DoS) attacks.
According to the report, Administrators and developers are urged to update their PHP installations immediately to mitigate these risks.
| CVE ID | Component | Severity | Affected Versions | Patched Versions |
| CVE-2025-1735 | pgsql extension | Moderate | <8.1.33, <8.2.29, <8.3.23, <8.4.10 | 8.1.33, 8.2.29, 8.3.23, 8.4.10 |
| CVE-2025-6491 | SOAP extension | Moderate | <8.1.33, <8.2.29, <8.3.23, <8.4.10 | 8.1.33, 8.2.29, 8.3.23, 8.4.10 |
Overview of the Vulnerabilities
1. SQL Injection and Crash via pgsql Extension (CVE-2025-1735)
A moderate-severity flaw has been identified in PHP’s pgsql extension, which is used to interface with PostgreSQL databases.
The vulnerability arises because the extension does not properly check for errors during the escaping of user-supplied data.
Specifically, PHP fails to pass error parameters to the PQescapeStringConn() function, preventing it from reporting encoding errors.
Additionally, several calls to PQescapeIdentifier() do not check for NULL returns, which can result in application crashes or undefined behavior.
Impact:
- SQL Injection: Attackers may exploit this flaw to inject malicious SQL queries, potentially gaining unauthorized access to sensitive data or manipulating the database.
- Denial of Service: Improper error handling can lead to application crashes, disrupting service availability.
Affected Versions:
- PHP < 8.1.33
- PHP < 8.2.29
- PHP < 8.3.23
- PHP < 8.4.10
Patched Versions:
- PHP 8.1.33, 8.2.29, 8.3.23, 8.4.10 and above
2. NULL Pointer Dereference in SOAP Extension (CVE-2025-6491)
A second vulnerability affects the PHP SOAP extension. If a SoapVar instance is created with a fully qualified name larger than 2GB, it can trigger a NULL pointer dereference, resulting in a segmentation fault and process crash.
This is due to limitations in libxml2 versions prior to 2.13, which cannot handle extremely large XML namespace prefixes.
Attackers could exploit this by sending specially crafted SOAP requests, causing a reliable DoS condition.
Impact:
- Denial of Service: Any PHP application using the SOAP extension is at risk of being crashed by a remote attacker, leading to service disruption.
Affected Versions:
- PHP < 8.1.33
- PHP < 8.2.29
- PHP < 8.3.23
- PHP < 8.4.10
Patched Versions:
- PHP 8.1.33, 8.2.29, 8.3.23, 8.4.10 and above
- Update Immediately: Upgrade PHP to the latest patched versions listed above.
- Audit Applications: Review code for unsafe use of database escaping and SOAP input handling.
- Monitor Systems: Watch for unusual crashes or service disruptions that may indicate exploitation attempts.
Administrators should treat these vulnerabilities with urgency, as both SQLi and DoS attacks can have severe consequences for data security and service reliability.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
