php security

A subtle sequence of PHP internals — an exception triggered inside a magic property setter combined with a null‑coalescing assignment — can produce a use‑after‑free in the engine’s shutdown path, leaving unpatched PHP 8.3 and 8.4 builds exposed to high‑impact crashes and, in some scenarios, the...

The knplabs/knp-snappy library — a widely used PHP wrapper for wkhtmltopdf and wkhtmltoimage — contains a high‑severity unsafe deserialization vulnerability that can be trivially abused to achieve remote code execution when the application environment and usage patterns permit it; the bug...

A subtle bug in PHP’s password verification logic — tracked as CVE‑2024‑3096 — let an attacker gain account access in a corner case: if a stored password hash begins with a NUL (0x00) byte, calling password_verify() with a blank password could return true. Microsoft’s Security Response Center...

CVE-2024-2756 is a practical reminder that a terse vendor mapping — “Azure Linux includes this open‑source library and is therefore potentially affected” — is an attestation of scope, not a categorical guarantee that no other Microsoft product could ship the same vulnerable code. Background /...

PHP’s PDO PostgreSQL stack contains a newly disclosed null-pointer dereference that can crash PHP processes and knock applications offline when emulated prepares are enabled — CVE-2025-14180 affects multiple PHP 8.x branches and was patched in the late‑December security release cycle; operators...

PHP’s core image helper has a subtle but consequential flaw: CVE‑2025‑14177 is an information‑disclosure bug in the getimagesize implementation that can cause uninitialized heap bytes to be copied into JPEG APPn metadata (for example APP1), leaking fragments of process memory when images are...

A newly assigned CVE (CVE-2025-14178) discloses a heap buffer overflow in PHP’s array_merge that can be triggered when a sequence of packed arrays causes integer overflow while precomputing element counts — a defect patched in PHP 8.1.34, 8.2.30, 8.3.29, 8.4.16 and 8.5.1 and now tracked across...