Null Pointer Dereference in PHP PDO PostgreSQL Driver
CVE-2025-14180

8.2HIGH

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 27 December 2025

What is CVE-2025-14180?

An issue exists in specific PHP versions when utilizing the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES set to true. Invalid character sequences in prepared statement parameters can lead to a situation where the quoting function PQescapeStringConn returns NULL. This failure triggers a null pointer dereference within the pdo_parse_params() function, potentially resulting in segmentation faults and disrupting the availability of the server. This vulnerability emphasizes the need for developers to ensure proper parameter validation in their applications.

Affected Version(s)

PHP 8.1.*

PHP 8.1.* < 8.1.34

PHP 8.2.* < 8.2.30

References

https://github.com/php/php-src/security/advisories/GHSA-8...

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Dec 27, 2025
Vulnerability Reserved
Dec 6, 2025

Credit

Aleksey Solovev (Positive Technologies)

JSON

PHP Group

What is CVE-2025-14180?

Affected Version(s)

References

CVSS V4

Timeline

Credit