Critical PHP Vulnerabilities Expose Systems to SQL Injection & DoS Attacks – Update Immediately

A newly disclosed security vulnerability (CVE-2025-1735) in the PHP pgsql extension has raised concerns among developers and system administrators.

The flaw, rated as moderate severity, arises from the extension’s failure to properly check for errors during the escaping of input data.

Specifically, the extension does not pass error parameters to the PQescapeStringConn() function, which prevents it from reporting encoding errors.

Additionally, several calls to PQescapeIdentifier() neglect to verify if the returned value is NULL, a documented method for these functions to signal errors.

This oversight can result in two major issues: potential SQL injection attacks and application crashes due to null pointer dereferences.

The vulnerability affects PHP versions before 8.1.33, 8.2.29, 8.3.23, and 8.4.10.

Developers relying on these versions are urged to upgrade immediately, as patched releases are now available.

The root of the problem is closely tied to a recent PostgreSQL vulnerability (CVE-2025-1094), which exposed weaknesses in how escaping functions handle invalid multibyte characters—an issue that can be exploited to bypass traditional SQL injection defenses.

Broader Security Implications and Urgent Mitigation Steps

The implications of this vulnerability are significant.

If an attacker can inject malicious input containing invalid multibyte characters, the absence of proper error checking in the PHP pgsql extension may allow the input to slip past escaping mechanisms.

This can lead to unauthorized SQL commands being executed on the database, compromising the confidentiality, integrity, and availability of critical data.

In some scenarios, improper error handling may also cause the application to crash, increasing the risk of denial-of-service attacks.

Security experts emphasize the importance of prompt patching and robust input validation.

Organizations using PHP with PostgreSQL should ensure they are running the latest versions of both PHP and PostgreSQL, as both projects have released updates to address these vulnerabilities.

Furthermore, regular security audits and adherence to secure coding practices are essential to minimize exposure to similar flaws in the future.

The interconnected nature of these vulnerabilities underscores the need for a proactive, multi-layered security approach in modern web application development.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates