DEBIAN-CVE-2025-14179
- Source
- https://security-tracker.debian.org/tracker/CVE-2025-14179
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14179.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-14179
- Upstream
- Published
- 2026-05-10T05:16:09.853Z
- Modified
- 2026-05-16T01:00:12.272111Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQLÂ statements.
- References
Affected packages
Debian:12 / php8.2
Package
- Name
- php8.2
- Purl
- pkg:deb/debian/php8.2?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.2.31-1~deb12u1
Affected versions
8.*
8.2.5-2
8.2.7-1~deb12u1
8.2.7-1
8.2.7-1.1
8.2.7-1.2
8.2.10-1
8.2.10-2
8.2.12-1
8.2.16-1
8.2.16-2
8.2.17-1
8.2.18-1~deb12u1
8.2.18-1
8.2.20-1~deb12u1
8.2.20-2
8.2.20-3
8.2.21-1
8.2.23-1
8.2.24-1~deb12u1
8.2.24-1
8.2.26-1~deb12u1
8.2.26-4
8.2.27-1
8.2.28-1~deb12u1
8.2.29-1~deb12u1
8.2.30-1~deb12u1
Debian:13 / php8.4
Package
- Name
- php8.4
- Purl
- pkg:deb/debian/php8.4?arch=source
Debian:14 / php8.4
Package
- Name
- php8.4
- Purl
- pkg:deb/debian/php8.4?arch=source