PHP 8.x PDO PgSQL Emulate Prepares Null Deref Crash (CVE-2025-14180)
CVE-2025-14180 Published on December 27, 2025
NULL Pointer Dereference in PDO quoting
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
Weakness Type
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
Products Associated with CVE-2025-14180
Want to know whenever a new CVE is published for PHP? stack.watch will email you.
Affected Versions
PHP Group PHP:- Version 8.1.* and below 8.1.34 is affected.
- Version 8.2.* and below 8.2.30 is affected.
- Version 8.3.* and below 8.3.29 is affected.
- Version 8.4.* and below 8.4.16 is affected.
- Version 8.5.* and below 8.5.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.