EUVD-2025-209755CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Amber
Lifecycle Timeline
5DescriptionNVD
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
AnalysisAI
SQL injection in PHP's PDO Firebird driver allows remote attackers to manipulate database queries when applications use PDO::quote() with attacker-controlled input containing NUL bytes. The vulnerability affects PHP versions 8.2.* through 8.5.* across all maintained branches, with vendor patches released (8.2.31, 8.3.31, 8.4.21, 8.5.6). CVSS 7.4 with network attack vector but requires user interaction and precise timing conditions (AT:P). Proof-of-concept exploitation status confirmed (E:P), though no active exploitation identified in CISA KEV at time of analysis.
Technical ContextAI
The vulnerability resides in PHP's PDO (PHP Data Objects) Firebird driver, specifically in the query preparation mechanism. When constructing SQL queries token-by-token, the driver uses strncat() to copy string tokens. This C standard library function terminates copying at the first NUL byte (0x00), creating a premature string termination. If an attacker-controlled value containing a NUL byte is passed through PDO::quote() - a function designed to safely escape values for SQL inclusion - the closing quote is dropped from the concatenated query string. Subsequent SQL tokens are then interpreted as part of the string literal rather than as SQL syntax, effectively breaking out of the quoted context. This is a classic CWE-89 SQL injection variant arising from improper neutralization of special elements, specifically exploiting the semantic gap between PHP's length-aware strings and C's NUL-terminated strings. The PDO Firebird driver is less commonly deployed than MySQL or PostgreSQL drivers, limiting real-world exposure. CPE cpe:2.3:a:php_group:php indicates the core PHP interpreter packages across distributions are affected when PDO Firebird support is compiled in.
RemediationAI
Upgrade PHP to patched versions: 8.2.31 or later for 8.2 branch, 8.3.31 or later for 8.3 branch, 8.4.21 or later for 8.4 branch, or 8.5.6 or later for 8.5 branch. Patches address the NUL byte handling in PDO Firebird's query tokenizer. For environments where immediate patching is not feasible: (1) Replace manual query construction using PDO::quote() with parameterized prepared statements using PDO::prepare() and bound parameters via execute(), which are not affected by this tokenization vulnerability - side effect is code refactoring requirement; (2) If PDO Firebird is not required by the application, disable or remove the PDO Firebird extension from PHP build/configuration to eliminate attack surface - side effect is potential application breakage if future code relies on Firebird; (3) Implement input validation to reject or strip NUL bytes (0x00) from user input before database operations - less reliable as defense-in-depth since validation logic may be bypassed or incomplete. Primary remediation is upgrading to fixed versions per vendor advisory https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm.
More from same product – last 7 days
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today