You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
php security
About this tag
The php security tag on WindowsForum covers critical vulnerabilities and patches affecting PHP runtimes and libraries. Recent discussions include CVE-2024-11235, a use-after-free in PHP 8.3/8.4 requiring urgent patching; CVE-2023-41330, a PHAR deserialization flaw in knp-snappy; CVE-2024-3096, a password_verify bug with NUL-byte hashes; CVE-2024-2756, a cookie-handling vulnerability; CVE-2025-14180, a null-pointer dereference in PDO PostgreSQL; CVE-2025-14177, an information leak via getimagesize; and CVE-2025-14178, a heap overflow in array_merge. Topics emphasize patching urgency, Microsoft Azure Linux attestation, and practical mitigation steps for operators.
A subtle sequence of PHP internals — an exception triggered inside a magic property setter combined with a null‑coalescing assignment — can produce a use‑after‑free in the engine’s shutdown path, leaving unpatched PHP 8.3 and 8.4 builds exposed to high‑impact crashes and, in some scenarios, the...
The knplabs/knp-snappy library — a widely used PHP wrapper for wkhtmltopdf and wkhtmltoimage — contains a high‑severity unsafe deserialization vulnerability that can be trivially abused to achieve remote code execution when the application environment and usage patterns permit it; the bug...
A subtle bug in PHP’s password verification logic — tracked as CVE‑2024‑3096 — let an attacker gain account access in a corner case: if a stored password hash begins with a NUL (0x00) byte, calling password_verify() with a blank password could return true. Microsoft’s Security Response Center...
CVE-2024-2756 is a practical reminder that a terse vendor mapping — “Azure Linux includes this open‑source library and is therefore potentially affected” — is an attestation of scope, not a categorical guarantee that no other Microsoft product could ship the same vulnerable code.
Background /...
PHP’s PDO PostgreSQL stack contains a newly disclosed null-pointer dereference that can crash PHP processes and knock applications offline when emulated prepares are enabled — CVE-2025-14180 affects multiple PHP 8.x branches and was patched in the late‑December security release cycle; operators...
PHP’s core image helper has a subtle but consequential flaw: CVE‑2025‑14177 is an information‑disclosure bug in the getimagesize implementation that can cause uninitialized heap bytes to be copied into JPEG APPn metadata (for example APP1), leaking fragments of process memory when images are...
A newly assigned CVE (CVE-2025-14178) discloses a heap buffer overflow in PHP’s array_merge that can be triggered when a sequence of packed arrays causes integer overflow while precomputing element counts — a defect patched in PHP 8.1.34, 8.2.30, 8.3.29, 8.4.16 and 8.5.1 and now tracked across...