Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
Debian Linux: Unprivileged access to sensitive system files
DEBIAN-CVE-2025-14179
Summary
A vulnerability in Debian Linux allows unprivileged users to access sensitive system files. This could potentially allow an attacker to gain elevated privileges and take control of the system. Debian users should update their systems to the latest version to fix this issue.
What to do
- Update debian php8.2 to version 8.2.31-1~deb12u1.
- Update debian php8.4 to version 8.4.21-1~deb13u1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | php7.4 | All versions |
| Debian:12 | debian | php8.2 |
< 8.2.31-1~deb12u1 Fix: upgrade to 8.2.31-1~deb12u1
|
| Debian:13 | debian | php8.4 |
< 8.4.21-1~deb13u1 Fix: upgrade to 8.4.21-1~deb13u1
|
| Debian:14 | debian | php8.4 | All versions |
Original title
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-...
Original description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
- https://security-tracker.debian.org/tracker/CVE-2025-14179 Vendor Advisory
Published: 10 May 2026 · Updated: 13 May 2026 · First seen: 8 May 2026