Critical PHP Vulnerabilities Expose PostgreSQL and SOAP Services to SQL Injection and DoS Attacks

Issues CVE-2025-1735 and CVE-2025-6491 affect PHP versions prior to 8.4.10 and could crash services or allow code injection

PHP is once again under scrutiny—this time due to two high-impact vulnerabilities targeting widely used extensions: PostgreSQL (pgsql) and SOAP. Tracked as CVE-2025-1735 and CVE-2025-6491, these flaws were patched in the latest PHP releases and pose a real threat to systems still running versions earlier than PHP 8.1.33, 8.2.29, 8.3.23, or 8.4.10.

Though exploitation requires specific conditions, both vulnerabilities can be triggered in production environments that handle untrusted input or lack strict validation.

---

CVE-2025-1735: Missing error checks in pgsql extension

This vulnerability stems from improper error handling in how PHP escapes strings and identifiers for PostgreSQL. Specifically, calls to functions like PQescapeStringConn() fail to pass proper error parameters, making it impossible to detect malformed inputs or encoding errors.

“Since the error parameter isn’t passed, PHP can’t react if PostgreSQL rejects a malformed string. This can lead to SQL injection or segfaults due to unverified NULL pointers,” the security advisory explains.

Developers using PQescapeIdentifier() without validating the returned value are at greater risk, as it may return NULL and trigger a null pointer dereference crash, affecting application stability.

This highlights the importance of validating return values when interacting with low-level extensions.

---

CVE-2025-6491: NULL pointer dereference in SOAP via oversized XML prefixes

The second vulnerability, reported by Ahmed Lekssays (Qatar Computing Research Institute), targets PHP’s SOAP extension. The flaw is triggered when processing an XML qualified name with a prefix longer than 2 GB, leading to a null pointer dereference during serialization.

A minimal exploit might look like this:

$hugePrefix = str_repeat("A", 0x7fffffff);
$localName = "Element";
$soapVar = new SoapVar("value", XSD_STRING, null, null, "{$hugePrefix}:{$localName}");
$client = new SoapClient(null, ['location'=>'http://127.0.0.1/', 'uri'=>'urn:dummy']);
$client->__soapCall("DummyFunction", [$soapVar]);
Code language: PHP (php)

“Just a 2GB+ prefix causes xmlBuildQName() to silently fail, leading to a segfault when serializing the XML node,” the advisory confirms.

This vulnerability makes SOAP services especially vulnerable to denial-of-service (DoS) if they accept uncontrolled input.

---

What sysadmins and developers should do

1. Update PHP to the latest secure version:
   • 8.1.33
   • 8.2.29
   • 8.3.23
   • 8.4.10
2. Audit loaded extensions, especially pgsql and soap, and review code for manual escaping or use of SoapVar.
3. Monitor logs for segmentation faults or unusual errors tied to SOAP or database interactions.
4. Enforce input validation before passing data to database or XML-related functions.
5. Avoid exposing SoapClient to unauthenticated external inputs without strong filtering.

---

A warning to the technical community

These issues are another reminder that PHP, despite its maturity, still relies heavily on C-based extensions, which can expose applications to low-level bugs with high severity.

As stated in KPMG Trends 2025, one of the biggest challenges for companies today is keeping tech stacks secure amid rapid evolution and complex attack surfaces. This case shows how a small omission in error handling can open the door to serious availability or data integrity risks.

---

Final word:
The PHP team has done its part. Now it’s up to development and sysadmin teams to patch their environments, audit their systems, and prevent these vulnerabilities from escalating into production incidents.

When it comes to infrastructure security, delay is never an ally.

Source: opensecurity