{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-14179","assignerOrgId":"dd77f84a-d19a-4638-8c3d-a322d820ed2b","state":"PUBLISHED","assignerShortName":"php","dateReserved":"2025-12-06T06:34:43.979Z","datePublished":"2026-05-10T03:51:14.596Z","dateUpdated":"2026-06-30T12:07:24.427Z"},"containers":{"cna":{"providerMetadata":{"orgId":"dd77f84a-d19a-4638-8c3d-a322d820ed2b","shortName":"php","dateUpdated":"2026-05-10T03:51:14.596Z"},"title":"SQL injection in pdo_firebird via NUL bytes in quoted strings","datePublic":"2026-05-07T00:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-89","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-66","descriptions":[{"lang":"en","value":"CAPEC-66 SQL Injection"}]}],"affected":[{"vendor":"PHP Group","product":"PHP","packageName":"pdo_firebird","versions":[{"status":"affected","version":"8.2.*","lessThan":"8.2.31","versionType":"semver"},{"status":"affected","version":"8.3.*","lessThan":"8.3.31","versionType":"semver"},{"status":"affected","version":"8.4.*","lessThan":"8.4.21","versionType":"semver"},{"status":"affected","version":"8.5.*","lessThan":"8.5.6","versionType":"semver"}],"defaultStatus":"affected"}],"descriptions":[{"lang":"en","value":"In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.","supportingMedia":[{"type":"text/html","base64":false,"value":"In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via <code>strncat()</code>, which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via <code>PDO::quote()</code> and embedded in SQL&nbsp;statements."}]}],"references":[{"url":"https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"PROOF_OF_CONCEPT","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER","version":"4.0","baseSeverity":"HIGH","baseScore":7.4,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber"}}],"credits":[{"lang":"en","value":"Aleksey Solovev (Positive Technologies)","type":"finder"},{"lang":"en","value":"Nikita Sveshnikov (Positive Technologies)","type":"finder"},{"lang":"en","value":"Ilija Tovilo","type":"remediation reviewer"},{"lang":"en","value":"Arnaud Le Blanc","type":"remediation reviewer"},{"lang":"en","value":"Saki Takamachi","type":"remediation developer"}],"source":{"advisory":"GHSA-w476-322c-wpvm","discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T15:23:23.501909Z","id":"CVE-2025-14179","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T15:23:35.010Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"unaffected","product":"Red Hat Hardened Images","vendor":"Red Hat"}],"datePublic":"2026-05-10T03:51:14.596Z","descriptions":[{"lang":"en","value":"A flaw was found in PHP. The PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This flaw allows SQL injection when attacker-controlled values are quoted via `PDO::quote()` and embedded in SQL statements."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2025-14179"},{"name":"RHBZ#2468567","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2468567"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14179.json"}],"timeline":[{"lang":"en","time":"2026-05-10T05:01:04.913Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-10T03:51:14.596Z","value":"Made public."}],"title":"php: SQL injection in pdo_firebird via NUL bytes in quoted strings","workarounds":[{"lang":"en","value":"To mitigate this issue, do not use 'PDO::quote()' for manual query concatenation. Refactor the application to use native parameterized prepared statements. Additionally, implement an input validation mechanism to reject any user-supplied data containing control characters, specifically the NUL byte (\\x00)."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:07:24.427Z"}}]}}