VDB
CVE-2025-14179
CVE-2025-14179
PUBLISHED
CVSS 7.400000095367432 HIGH
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
EPSS 0.04% · 11.7th percentile
Risk Scores
CVSS v4.0
7.400000095367432
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber
EPSS Score
0.04%
11.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PHP Group | PHP | 8.2.*, 8.4.*, * |
Timeline
- May 8, 2026 PoC Published
- May 8, 2026 PoC Published
- May 10, 2026 CVE Published
- May 11, 2026 Security Advisory
- May 12, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score