{ "threat_severity" : "Important", "public_date" : "2026-05-10T03:51:14Z", "bugzilla" : { "description" : "php: SQL injection in pdo_firebird via NUL bytes in quoted strings", "id" : "2468567", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2468567" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-89", "details" : [ "In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.", "A flaw was found in PHP. The PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This flaw allows SQL injection when attacker-controlled values are quoted via `PDO::quote()` and embedded in SQL statements." ], "statement" : "This issue can be exploited in applications using the PDO Firebird driver. The application must construct dynamic queries using `PDO::quote()` and the query structure must contain subsequent string boundaries or parameters. This allows an attacker to inject a malicious payload, resulting in the execution of arbitrary database commands. Additionally, the use of `PDO::quote()` for manual concatenation is heavily discouraged and considered a legacy anti-pattern. Modern PHP applications use native prepared statements (`$stmt->execute()`) that are not vulnerable to this issue, limiting its exposure. Due to these reasons, this vulnerability has been rated with an important severity.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "php8.4", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "php:7.4/php", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "php:8.2/php", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "php", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "php:8.2/php", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "php:8.3/php", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Not affected", "package_name" : "php", "cpe" : "cpe:/a:redhat:hummingbird:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-14179\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14179\nhttps://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm" ], "name" : "CVE-2025-14179", "mitigation" : { "value" : "To mitigate this issue, do not use 'PDO::quote()' for manual query concatenation. Refactor the application to use native parameterized prepared statements. Additionally, implement an input validation mechanism to reject any user-supplied data containing control characters, specifically the NUL byte (\\x00).", "lang" : "en:us" }, "csaw" : false }