CVE-2025-14180 Overview
CVE-2025-14180 is a null pointer dereference vulnerability affecting multiple versions of PHP when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled. An invalid character sequence (such as \\x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in the pdo_parse_params() function. This vulnerability can result in application crashes (segmentation faults) and significantly impact server availability.
Critical Impact
This vulnerability enables remote attackers to crash PHP applications using PostgreSQL PDO connections, leading to denial of service conditions that can disrupt web services and backend systems.
Affected Products
- PHP versions 8.1.* before 8.1.34
- PHP versions 8.2.* before 8.2.30
- PHP versions 8.3.* before 8.3.29
- PHP versions 8.4.* before 8.4.16
- PHP versions 8.5.* before 8.5.1
Discovery Timeline
- 2025-12-27 - CVE-2025-14180 published to NVD
- 2026-01-09 - Last updated in NVD database
Technical Details for CVE-2025-14180
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference) and affects the PHP PDO PostgreSQL driver's parameter parsing functionality. When PDO::ATTR_EMULATE_PREPARES is enabled, PHP emulates prepared statements by performing parameter substitution locally rather than sending parameterized queries to the PostgreSQL server. During this process, user-supplied parameters must be properly escaped using the PQescapeStringConn function from the libpq library.
The vulnerability arises when an attacker supplies a malformed character sequence (such as \\x99) that causes PQescapeStringConn to fail and return NULL. The pdo_parse_params() function fails to properly validate this return value before dereferencing the pointer, resulting in a segmentation fault that crashes the PHP process.
Root Cause
The root cause is insufficient null pointer validation in the pdo_parse_params() function within the PDO PostgreSQL driver. When PQescapeStringConn encounters an invalid multi-byte character sequence that cannot be properly escaped according to the PostgreSQL encoding rules, it returns NULL to indicate failure. The PHP code path fails to check for this NULL return value before attempting to use the result, leading to the null pointer dereference.
Attack Vector
The attack vector is network-based, requiring an attacker to submit crafted input containing invalid character sequences to a PHP application that uses PDO PostgreSQL with emulated prepared statements. The attack requires specific conditions to be met:
- The target application must use the PDO PostgreSQL driver
- PDO::ATTR_EMULATE_PREPARES must be enabled (not the default)
- User-controlled input must reach a prepared statement parameter
- The input must contain specific invalid byte sequences that trigger the PQescapeStringConn failure
When exploited successfully, the PHP process crashes with a segmentation fault, terminating all active requests and potentially affecting service availability until the process is restarted.
Detection Methods for CVE-2025-14180
Indicators of Compromise
- Unexpected PHP process crashes or segmentation faults in server logs
- Repeated restarts of PHP-FPM or Apache mod_php processes
- Application error logs showing connection failures to PostgreSQL-backed services
- Unusual patterns of HTTP requests containing non-printable or malformed characters targeting form inputs or API endpoints
Detection Strategies
- Monitor PHP error logs and system logs for segmentation fault events associated with PHP processes
- Implement web application firewall (WAF) rules to detect and block requests containing suspicious byte sequences like \\x99
- Review PHP configuration files for PDO::ATTR_EMULATE_PREPARES usage in PostgreSQL connections
- Deploy application-level logging to capture input validation failures and unusual character encodings
Monitoring Recommendations
- Configure alerting for abnormal PHP process termination rates
- Monitor server availability metrics and set thresholds for automatic incident response
- Implement request logging with full payload capture for forensic analysis
- Track connection pool exhaustion events that may indicate exploitation attempts
How to Mitigate CVE-2025-14180
Immediate Actions Required
- Upgrade PHP to a patched version: 8.1.34, 8.2.30, 8.3.29, 8.4.16, or 8.5.1 or later
- Disable PDO::ATTR_EMULATE_PREPARES for PostgreSQL connections to use native prepared statements
- Implement input validation to reject or sanitize invalid character sequences before database operations
- Deploy rate limiting to reduce the impact of exploitation attempts
Patch Information
PHP has released security patches for all affected version branches. Organizations should upgrade to the following minimum versions:
| Branch | Patched Version |
|---|---|
| PHP 8.1 | 8.1.34 |
| PHP 8.2 | 8.2.30 |
| PHP 8.3 | 8.3.29 |
| PHP 8.4 | 8.4.16 |
| PHP 8.5 | 8.5.1 |
For detailed patch information, refer to the PHP Security Advisory on GitHub.
Workarounds
- Disable PDO::ATTR_EMULATE_PREPARES by setting it to false when creating PDO connections to PostgreSQL
- Implement strict input validation to filter out invalid byte sequences before they reach database queries
- Deploy a web application firewall with rules to detect and block malformed character payloads
- Use process supervision tools to automatically restart crashed PHP processes while applying permanent fixes
// Recommended PDO configuration to disable emulated prepares
$pdo = new PDO('pgsql:host=localhost;dbname=mydb', $user, $pass);
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
