CVE-2025-14178
📋 TL;DR
A heap buffer overflow vulnerability in PHP's array_merge() function allows memory corruption when merging large packed arrays. This affects PHP servers running vulnerable versions and can lead to crashes or potential remote code execution. All PHP applications using array_merge() with large arrays are potentially vulnerable.
💻 Affected Systems
- PHP
📦 What is this software?
Php by Php
Php by Php
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, or persistent backdoor installation.
Likely Case
Application crashes causing denial of service, memory corruption leading to unpredictable behavior, or potential information disclosure.
If Mitigated
Limited to denial of service if memory protections prevent code execution, with crashes contained to affected PHP processes.
🎯 Exploit Status
Exploitation requires triggering array_merge() with specific large array parameters. While unauthenticated exploitation is possible, it requires understanding of PHP array structures and memory layout.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 8.1.34, 8.2.30, 8.3.29, 8.4.16, 8.5.1
Vendor Advisory: https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2
Restart Required: Yes
Instructions:
1. Identify PHP version with 'php -v'. 2. Update PHP using your package manager: 'apt update && apt upgrade php' (Debian/Ubuntu) or 'yum update php' (RHEL/CentOS). 3. Restart web server: 'systemctl restart apache2' or 'systemctl restart nginx'. 4. Verify update with 'php -v'.
🔧 Temporary Workarounds
Input validation for array sizes
allValidate array sizes before calling array_merge() to prevent triggering the overflow condition.
// PHP code example: if (count($array1) + count($array2) < 2147483647) { $result = array_merge($array1, $array2); }
Use alternative array functions
allReplace array_merge() with safer alternatives like array_merge_recursive() or manual array combination for critical operations.
// PHP code example: $result = array_merge_recursive($array1, $array2);
🧯 If You Can't Patch
- Implement WAF rules to detect and block requests attempting to trigger large array operations
- Limit PHP memory limits and execution time to contain potential crashes
🔍 How to Verify
Check if Vulnerable:
Run 'php -v' and check if version matches affected ranges: 8.1.0-8.1.33, 8.2.0-8.2.29, 8.3.0-8.3.28, 8.4.0-8.4.15, 8.5.0Check Version:
php -v | head -1Verify Fix Applied:
After patching, verify version is at least: 8.1.34, 8.2.30, 8.3.29, 8.4.16, or 8.5.1 using 'php -v'📡 Detection & Monitoring
Log Indicators:
- PHP segmentation fault errors
- Apache/Nginx worker process crashes
- Memory allocation failures in PHP logs
- Unusual array size parameters in application logs
Network Indicators:
- HTTP 500 errors following requests with large POST data
- Sudden service unavailability patterns
SIEM Query:
source="php_error.log" AND ("segmentation fault" OR "buffer overflow" OR "memory corruption")