Information Disclosure Vulnerability in PHP Affects Multichunk Image Processing
CVE-2025-14177

6.3MEDIUM

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 27 December 2025

What is CVE-2025-14177?

The getimagesize() function in PHP versions earlier than specified versions is affected by a vulnerability that results in the potential leak of uninitialized heap memory through the APPn segments when processing images in a multi-chunk mode. This can expose sensitive information from the server's memory, compromising data confidentiality. The flaw arises from a bug in the php_read_stream_all_chunks() function, which fails to properly manage the buffer pointer, leaving parts of it uninitialized. This issue underscores the importance of timely software updates and implementations of best security practices.

Affected Version(s)

PHP 8.1.*

PHP 8.1.* < 8.1.34

PHP 8.2.* < 8.2.30

References

https://github.com/php/php-src/security/advisories/GHSA-3...

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Dec 27, 2025
Vulnerability Reserved
Dec 6, 2025

Credit

Nikita Sveshnikov (Positive Technologies)

JSON

PHP Group

What is CVE-2025-14177?

Affected Version(s)

References

CVSS V4

Timeline

Credit