SQL Injection Vulnerability in PHP's PDO Firebird Driver
CVE-2025-14179

7.4HIGH

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 10 May 2026

What is CVE-2025-14179?

In the PHP PDO Firebird driver, prior handling of NUL bytes during SQL query preparation can lead to SQL injection vulnerabilities. This occurs when string tokens containing NUL bytes, which are improperly copied, result in closing quotes being dropped. Consequently, attacker-controlled values that are embedded in SQL statements using PDO::quote() may be executed unsafely. Developers using affected PHP versions must address this flaw to safeguard against potential SQL injection attacks and ensure the integrity of their applications.

Affected Version(s)

PHP 8.2.*

PHP 8.2.* < 8.2.31

PHP 8.3.* < 8.3.31

References

https://github.com/php/php-src/security/advisories/GHSA-w...

vendor-advisory

CVSS V4

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2026
Vulnerability Reserved
Dec 6, 2025

Credit

Aleksey Solovev (Positive Technologies)

Nikita Sveshnikov (Positive Technologies)

Ilija Tovilo

Arnaud Le Blanc

Saki Takamachi

CVE-2025-14179 Data

JSON

PHP Group

What is CVE-2025-14179?

Affected Version(s)

References

CVSS V4

Timeline

Credit