PHP Flaws: CVE-2025-1735 (SQLi/Crash) & CVE-2025-6491 (SOAP DoS) Threaten PHP Apps

The PHP project has released security patches addressing two vulnerabilities that expose PHP-based applications to SQL injection risks and denial-of-service (DoS) attacks. Tracked as CVE-2025-1735 and CVE-2025-6491, these flaws affect PHP versions prior to 8.1.33, 8.2.29, 8.3.23, and 8.4.10, and they pose significant threats to applications using PostgreSQL and SOAP services.

CVE-2025-1735: pgsql Extension Missing Error Checks Enables SQL Injection & Crashes

This vulnerability stems from improper error handling in PHP’s PostgreSQL (pgsql) extension. The flaw arises when PHP fails to properly handle return values and errors from PostgreSQL’s PQescapeStringConn() and PQescapeIdentifier() functions.

“Specifically the error parameters is not passed to PQescapeStringConn(), which therefore cannot report an error,” the advisory states.

In other words, if the escaping function encounters an invalid encoding or unexpected input, PHP cannot detect or respond appropriately, potentially resulting in SQL injection or null pointer dereference crashes.

Even though PostgreSQL itself now attempts to safeguard against these encoding problems, the PHP extension’s failure to pass and check error parameters leaves a dangerous gap.

“It was also noted that several calls to PQescapeIdentifier() do not check for the returned value being NULL… [which] could cause crashes or at least UB (undefined behavior) in some of the callsites,” the advisory explains.

CVE-2025-6491: NULL Pointer Dereference in PHP SOAP via Gigantic XML Namespace

Discovered by Ahmed Lekssays from the Qatar Computing Research Institute, this vulnerability affects the PHP SOAP extension when it processes a fully qualified XML name larger than 2GB.

“If a SoapVar instance is created with a fully qualified name larger than 2G, this will cause a NULL pointer dereference resulting in a segmentation fault,” the advisory writes.

The flaw lies in how PHP’s SOAP implementation, using libxml2, interacts with oversized XML namespace prefixes. When the prefix exceeds the maximum int value, it causes xmlNodeSetName() to fail silently—leaving the XML node in an invalid state. This triggers a segmentation fault during subsequent serialization.

A simple PHP script using str_repeat(“A”, 0x7fffffff) causes a crash during SOAP operations:

ini_set('memory_limit', '6144M');
// 2 GB prefix to overflow int (INT_MAX = 2147483647)
$hugePrefix = str_repeat("A", 0x7fffffff);
// This is the local part of the XML name
$localName = "Element";
// This will be passed to xmlBuildQName(prefix: hugePrefix, ncname: localName)
$soapVar = new SoapVar(
"value",
XSD_STRING,
null,
null,
"{$hugePrefix}:{$localName}" // Triggers xmlBuildQName
);
$options = [
'location' => 'http://127.0.0.1/', // localhost dummy
'uri' => 'urn:dummy',
'trace' => 1,
'exceptions' => true,
];
try {
$client = new SoapClient(null, $options);
$client->__soapCall("DummyFunction", [$soapVar]);
} catch (Exception $e) {
echo "Caught Exception: " . $e->getMessage() . "\n";
}
?>

When executed, the PHP process terminates with a crash: “Valgrind confirms ‘Invalid read of size 1 at address 0x0’.”

This makes the vulnerability especially potent for Denial of Service (DoS) attacks, particularly in SOAP-exposed APIs or web services that accept untrusted input.

The PHP team has addressed both vulnerabilities in the following versions:

• PHP 8.1.33
• PHP 8.2.29
• PHP 8.3.23
• PHP 8.4.10

All users running PHP with either the PostgreSQL extension or SOAP services are urged to upgrade immediately.

Related Posts: