CVE-2025-1735
📋 TL;DR
This vulnerability in PHP's PostgreSQL extensions (pgsql and pdo_pgsql) fails to properly handle errors when escaping strings for database queries. If a PostgreSQL server rejects a string as invalid, PHP could crash instead of gracefully handling the error. This affects PHP applications using PostgreSQL database connections with affected PHP versions.
💻 Affected Systems
- PHP
📦 What is this software?
Php by Php
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Denial of service causing PHP application crashes when processing specific database queries, potentially disrupting service availability.
Likely Case
Application instability or crashes when processing malformed or unusual string data through PostgreSQL database functions.
If Mitigated
Minimal impact with proper error handling wrappers and monitoring that can restart crashed processes.
🎯 Exploit Status
Exploitation requires ability to send malformed string data to PostgreSQL database queries through affected PHP functions. This typically requires some level of application access or input control.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 8.1.33, 8.2.29, 8.3.23
Vendor Advisory: https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3
Restart Required: Yes
Instructions:
1. Update PHP to patched version using your package manager (apt, yum, etc.). 2. Restart PHP-FPM or web server (Apache/Nginx). 3. Verify PHP version with 'php -v'.
🔧 Temporary Workarounds
Disable PostgreSQL extensions
allTemporarily disable pgsql and pdo_pgsql extensions if PostgreSQL is not required
php -d disable_functions=pg_escape_string,pg_escape_bytea
Comment out extension=pgsql and extension=pdo_pgsql in php.ini
🧯 If You Can't Patch
- Implement application-level input validation and sanitization for all PostgreSQL queries
- Add monitoring and automatic restart mechanisms for PHP processes to mitigate crash impact
🔍 How to Verify
Check if Vulnerable:
Check PHP version with 'php -v' and verify it's in affected range. Check if pgsql or pdo_pgsql extensions are loaded with 'php -m | grep pgsql'.Check Version:
php -v | head -1Verify Fix Applied:
After update, confirm PHP version is 8.1.33+, 8.2.29+, or 8.3.23+ with 'php -v'. Test PostgreSQL connectivity remains functional.📡 Detection & Monitoring
Log Indicators:
- PHP segmentation fault errors
- PostgreSQL connection errors followed by PHP process termination
- Web server error logs showing 500 errors with no application error
Network Indicators:
- Increased HTTP 500 errors from PHP applications using PostgreSQL
- PostgreSQL connection resets
SIEM Query:
source="php_error.log" AND ("segmentation fault" OR "core dumped") OR source="postgresql.log" AND "invalid input syntax"