Information Disclosure Vulnerability in PHP Affects Multichunk Image Processing
CVE-2025-14177

6.3MEDIUM

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 27 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-14177?

The getimagesize() function in PHP versions earlier than specified versions is affected by a vulnerability that results in the potential leak of uninitialized heap memory through the APPn segments when processing images in a multi-chunk mode. This can expose sensitive information from the server's memory, compromising data confidentiality. The flaw arises from a bug in the php_read_stream_all_chunks() function, which fails to properly manage the buffer pointer, leaving parts of it uninitialized. This issue underscores the importance of timely software updates and implementations of best security practices.

Affected Version(s)

PHP 8.1.*

PHP 8.1.* < 8.1.34

PHP 8.2.* < 8.2.30

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-14177
Created by 34zY

References

https://github.com/php/php-src/security/advisories/GHSA-3...

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 18, 2026
👾
Exploit known to exist
May 18, 2026
Vulnerability published
Dec 27, 2025
Vulnerability Reserved
Dec 6, 2025

Credit

Nikita Sveshnikov (Positive Technologies)

CVE-2025-14177 Data

JSON

PHP Group

Badges

What is CVE-2025-14177?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit