CVE-2025-14179

SQL injection in pdo_firebird via NUL bytes in quoted strings

Assigner: php
Reserved: 06.12.2025 Published: 10.05.2026 Updated: 10.05.2026

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber
CVSS Score: 7.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	High	Availability	High
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	PHP Group
Product	PHP
Versions	Default: affected affected from 8.2.* to 8.2.31 (excl.) affected from 8.3.* to 8.3.31 (excl.) affected from 8.4.* to 8.4.21 (excl.) affected from 8.5.* to 8.5.6 (excl.)

Vendor

PHP Group

Product

PHP

Versions

Default: affected

affected from 8.2.* to 8.2.31 (excl.)
affected from 8.3.* to 8.3.31 (excl.)
affected from 8.4.* to 8.4.21 (excl.)
affected from 8.5.* to 8.5.6 (excl.)

Credits

Aleksey Solovev (Positive Technologies) finder
Nikita Sveshnikov (Positive Technologies) finder
Ilija Tovilo remediation reviewer
Arnaud Le Blanc remediation reviewer
Saki Takamachi remediation developer

References

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE

Impacts

CAPEC-66 SQL Injection