CVE-2025-14177
php8.2 - security update
7.5
HIGH
CVSS 3.1
EPSS 0.03%
Description
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
How to fix CVE-2025-14177
To remediate CVE-2025-14177, upgrade the affected package to a fixed version below.
- —upgrade to 8.1.34 or later
- —upgrade to 8.1.34 or later
- —upgrade to 8.1.34 or later
- —upgrade to 8.2.30-1~deb12u1 or later
- —upgrade to 8.2.30-1~deb12u1 or later
- —upgrade to 8.4.16-1~deb13u1 or later
- —upgrade to 8.4.16-1~deb13u1 or later
Is CVE-2025-14177 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 8.1.34, >= 8.2.0, < 8.2.30, >= 8.3.0, < 8.3.29, >= 8.4.0, < 8.4.16, >= 8.5.0, < 8.5.1
- from 0, < 8.1.34, >= 8.2.0, < 8.2.30, >= 8.3.0, < 8.3.29, >= 8.4.0, < 8.4.16, >= 8.5.0, < 8.5.1
- from 0, < 8.1.34, >= 8.2.0, < 8.2.30, >= 8.3.0, < 8.3.29, >= 8.4.0, < 8.4.16, >= 8.5.0, < 8.5.1
- from 0, < 8.2.30-1~deb12u1
- from 0, < 8.2.30-1~deb12u1
- from 0, < 8.4.16-1~deb13u1
- from 0, < 8.4.16-1~deb13u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |