(12 votes, average: 4.92 out of 5)
Loading...
If you’re using PHP in your applications, it’s time to stop what you’re doing and check your version. Recently, security researchers disclosed two serious vulnerabilities in PHP that could allow attackers to perform SQL injection (SQLi) and denial-of-service (DoS) attacks.
These issues affect widely used components, PostgreSQL and SOAP extensions, and put both small websites and enterprise apps at risk. And the worst part? They affect millions of live applications still using vulnerable versions.
The flaws, tracked as CVE-2025-1735 and CVE-2025-6491, have been rated as moderate in severity, but their impact could be anything but. In many environments, these vulnerabilities can be chained with other weaknesses or even misconfigurations, turning what appears to be a minor bug into a critical security incident.
What’s Happening?
Two flaws, CVE-2025-1735 and CVE-2025-6491, are shaking the PHP world. These vulnerabilities impact PostgreSQL and SOAP extensions in PHP. They don’t just open the door to data theft and service crashes, they practically take the door off its hinges.
TL;DR – Key Takeaways:
- SQL Injection Risk via PostgreSQL (CVE-2025-1735)
- DoS Crash Risk via SOAP (CVE-2025-6491)
- Affected Versions: PHP < 8.1.33, < 8.2.29, < 8.3.23, < 8.4.10
- Patched Versions: 8.1.33+, 8.2.29+, 8.3.23+, 8.4.10+
- Act fast or risk full application compromise
CVE-2025-1735 – SQL Injection + App Crash via PostgreSQL Extension
Let’s start with CVE-2025-1735, which impacts the PostgreSQL (pgsql) extension in PHP. This flaw stems from improper error handling when escaping input data that is later used in SQL queries.
More specifically, PHP does not pass the necessary error parameters to the PQescapeStringConn() function. Because of this, it silently fails to catch encoding issues. In parallel, it also fails to check if the PQescapeIdentifier() function returns NULL, which, according to documentation, signals an error.
Also Read: Critical Vulnerabilities Fixed in Trend Micro’s Apex Central and PolicyServer
As a result, the application either continues without flagging the error or crashes, depending on how it’s written. Either way, it opens the door for attackers.
This implies that an attacker may insert well-designed input that bypasses application defensive mechanisms, escapes incorrectly, and is later used in a malicious SQL command.
Also Read: Palo Alto Urges PAN-OS Users to Update for DoS Flaw Mitigation
That is the SQL injection, a severe problem, which may give unauthorised users access to your data, or may affect your database in many other ways, and even execute remote code in certain configurations.
The thing is that this exploit is much more dangerous, as it is tied to a PostgreSQL bug (CVE-2025-1094). Although the PostgreSQL team has patched their side, the escape operations that are performed internally in PHP cannot generate the anticipated errors.
Therefore, in case you are upgrading the database but not the PHP runtime, you are not on the safe side.
CVE-2025-6491 – SOAP Extension Can Take You Down with a Single Request
Now let’s talk about CVE-2025-6491. This one affects the SOAP extension. It might sound less common, but it’s still used in a lot of legacy applications, especially in enterprise environments. The issue occurs when a SoapVar instance is created using a namespace name longer than 2 gigabytes, a huge but technically valid input.
This causes a NULL pointer dereference that results in a segmentation fault, crashing the entire application. The root cause is tied to limitations in older versions of libxml2 (below 2.13), which cannot handle XML node names of that size.
Also Read: Tomcat Flaws Expose Servers to DoS, Auth Bypass & Privilege Escalation
In simpler terms, an attacker can send a malicious SOAP request that causes your server to crash. While it may not grant access to data, it can take your application offline, creating a perfect window for further attacks or simply wreaking havoc on your uptime.
Security experts have already confirmed that these vulnerabilities can be reliably reproduced. Both issues affect all PHP versions before 8.1.33, 8.2.29, 8.3.23, and 8.4.10.
That means if your server is running anything below these versions, you’re likely exposed. Even development releases like PHP 8.5.0-dev are impacted if paired with an older libxml2 library.
Vulnerability Snapshot
| CVE | Component | Type | Affected Versions | CVSS Score |
| CVE-2025-1735 | PostgreSQL extension | SQL Injection / DoS | < 8.1.33 / 8.2.29 / 8.3.23 / 8.4.10 | 9.1 (Critical) |
| CVE-2025-6491 | SOAP extension | Denial of Service | Same versions + libxml2 < 2.13 | 5.9 (Moderate) |
What You Should Do (Right Now)?
The fixes are already available. Developers and administrators should upgrade to the patched PHP versions without delay.
In addition to upgrading, it’s equally important to audit your code for unsafe database operations and improper handling of SOAP input. If you’re relying on legacy integrations, this might also be a good time to consider modernising or adding an automated monitoring tool, such as Sitelock, and stay secure from these attacks in the future.
Attacks exploiting these types of vulnerabilities often fly under the radar until it’s too late. SQL injection can be subtle and hard to detect once executed. DoS attacks, on the other hand, might appear like a random crash until the pattern becomes obvious. That’s why early action is key. Keep logs, set up monitoring, and configure alerts to help you catch potential exploitation attempts early.
Conclusion
Don’t wait for an attack to expose your weak spot. These PHP flaws are real, exploitable, and already being watched by threat actors. Updating your systems is step one, but staying secure is an ongoing game.
Prevent SQL injection and DDoS attacks on your website with automated monitoring tools like SiteLock Security, and keep your site safe 24/7.
