Description
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
Published: 2026-05-10
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PDO Firebird driver in PHP mishandles NUL bytes when building SQL queries. When a NUL byte appears inside a quoted string literal, the internal string copy stops prematurely, dropping the closing quote and causing the rest of the query to be parsed as part of that string. An attacker can therefore inject arbitrary SQL by supplying a NUL byte in a value that is quoted with PDO::quote() and then concatenated into a Firebird statement. This classic injection flaw is identified by CWE‑89 and can compromise confidentiality, integrity, or availability of the targeted database.

Affected Systems

Affected systems are installations of PHP from the PHP Group that use the PDO Firebird driver and run any release block preceding the fixes: PHP 8.2.x before 8.2.31, PHP 8.3.x before 8.3.31, PHP 8.4.x before 8.4.21, and PHP 8.5.x before 8.5.6. Any application that accepts user input, applies PDO::quote(), and embeds the result directly into a Firebird query is vulnerable.

Risk and Exploitability

The risk is moderate to high, with a CVSS score of 7.4. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. The likely attack vector involves an application that accepts user input, applies PDO::quote() to that input, and embeds it directly into a Firebird SQL query. Since the vulnerability is triggered by the presence of NUL bytes, attackers can craft input containing such bytes to subvert query parsing once the PHP code is executed on the server.

Generated by OpenCVE AI on May 10, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PHP to a patched release (8.2.31, 8.3.31, 8.4.21, or 8.5.6 or later)
  • Refactor application logic to use prepared statements with bound parameters instead of concatenating quoted strings
  • Remove or encode any NUL bytes from user input before passing it to PDO::quote()

Generated by OpenCVE AI on May 10, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6255-1 php8.2 security update
Debian DSA Debian DSA DSA-6256-1 php8.4 security update
Ubuntu USN Ubuntu USN USN-8336-1 PHP vulnerabilities
History

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Php
Php php
CPEs cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Vendors & Products Php
Php php
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 10 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Php Group
Php Group php
Vendors & Products Php Group
Php Group php

Sun, 10 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
Title SQL injection in pdo_firebird via NUL bytes in quoted strings
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber'}

Subscriptions

Php Php
Php Group Php
cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published:

Updated: 2026-05-11T15:23:35.010Z

Reserved: 2025-12-06T06:34:43.979Z

Link: CVE-2025-14179

cve-icon Vulnrichment

Updated: 2026-05-11T15:23:31.146Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-10T05:16:09.853

Modified: 2026-05-12T17:48:38.497

Link: CVE-2025-14179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T06:30:05Z

Weaknesses