PatchSiren cyber security CVE debrief
CVE-2025-14179 Unknown Vendor CVE debrief
CVE-2025-14179 is a high-severity SQL injection issue in PHP's PDO Firebird driver. In affected releases, a NUL byte inside quoted string data can cause the driver to drop the closing quote during query construction, which may let later SQL tokens be parsed as part of the attacker-controlled string.
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
Teams running PHP applications that use PDO with the Firebird driver, especially code that quotes user-supplied data with PDO::quote() and embeds that output into SQL statements.
Technical summary
According to the CVE description, the PDO Firebird driver improperly handles NUL bytes while preparing SQL queries. During token-by-token construction, a string token containing a NUL byte is copied with strncat(), which stops at the NUL and can omit the closing quote. That changes the parser context so subsequent SQL tokens may be treated as part of the string, creating an SQL injection path when attacker-controlled values are quoted and inserted into statements. The affected ranges called out in the record are PHP 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6.
Defensive priority
High. This is an externally reachable injection flaw in a core database driver, with CVSS 7.4 and potential impact to confidentiality, integrity, and availability when vulnerable code paths are reachable.
Recommended defensive actions
- Upgrade PHP to a fixed release: 8.2.31, 8.3.31, 8.4.21, or 8.5.6, depending on your installed branch.
- Inventory applications that use PDO with the Firebird driver and identify any code that depends on PDO::quote() or manual SQL string assembly.
- Prefer parameterized queries over quoted string concatenation wherever possible.
- Review any handling of user-controlled or binary input that may contain NUL bytes before it reaches database-layer SQL construction.
- After patching, test representative Firebird database operations in staging to confirm query behavior and application compatibility.
Evidence notes
The debrief is based on the supplied CVE description and the official NVD record, which lists the issue as CVSS 7.4 HIGH and references the PHP security advisory GHSA-w476-322c-wpvm. The record states the affected PHP version ranges and the NUL-byte/strncat() quote-handling failure that can lead to SQL injection. PublishedAt in the supplied timeline is 2026-05-10T05:16:09.853Z.
Official resources
-
CVE-2025-14179 CVE record
CVE.org
-
CVE-2025-14179 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed in the CVE record on 2026-05-10. The supplied source record is from NVD with status Received and includes a reference to the PHP security advisory GHSA-w476-322c-wpvm. No KEV listing was provided in the supplied corpus.