Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
CVE-2025-14179: PHP PDO Firebird driver SQL injection risk in certain versions
CVE-2025-14179
Summary
Certain PHP versions with the PDO Firebird driver are at risk of SQL injection attacks. This occurs when an attacker injects malicious code into SQL queries by exploiting the driver's improper handling of NUL bytes. To protect against this, update PHP to the latest version or patch the affected driver.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| php | php |
>= 8.2.0, < 8.2.31 >= 8.3.0, < 8.3.31 >= 8.4.0, < 8.4.21 >= 8.5.0, < 8.5.6 cpe:2.3:a:php:php:*:*:*:*:*:*:*:* |
Original title
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-...
Original description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
nvd CVSS4.0
7.4
Vulnerability type
CWE-89
SQL Injection
Published: 10 May 2026 · Updated: 28 May 2026 · First seen: 10 May 2026