CVE-2025-1735

Summary

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

Affected Software

VendorProductVersion RangeStatus
PHP GroupPHP8.1.* < 8.1.33affected
PHP GroupPHP8.2.* < 8.2.29affected
PHP GroupPHP8.3.* < 8.3.23affected
PHP GroupPHP8.4.* < 8.4.10affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CWE-476: CWE-476 NULL Pointer Dereference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References