PHP PDO Firebird driver SQL injection risk with NUL bytes

Summary

The PHP PDO Firebird driver can be exploited by attackers to inject malicious SQL code if certain values are not properly handled. This affects PHP versions 8.2 to 8.5 and can lead to unauthorized database access. To mitigate this risk, update to the latest PHP version.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Ecosystem	Vendor	Product	Affected versions
Ubuntu:Pro:14.04:LTS	canonical	php5	All versions
Ubuntu:Pro:16.04:LTS	canonical	php7.0	All versions
Ubuntu:Pro:18.04:LTS	canonical	php7.2	All versions
Ubuntu:Pro:20.04:LTS	canonical	php7.4	All versions
Ubuntu:22.04:LTS	canonical	php8.1	All versions
Ubuntu:24.04:LTS	canonical	php8.3	All versions
Ubuntu:25.10	canonical	php8.4	All versions
Ubuntu:26.04:LTS	canonical	php8.5	All versions

Original title

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-...

Original description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

osv CVSS4.0 9.9

osv CVSS3.1 9.8

https://ubuntu.com/security/CVE-2025-14179 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-14179 Third Party Advisory
https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm Third Party Advisory