Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Home/Vulnerabilities/Critical PHP Vulnerabilities Expose Servers to Remote Attacks
Vulnerabilities

Critical PHP Vulnerabilities Expose Servers to Remote Attacks

Key Takeaways Two critical memory-safety vulnerabilities have been discovered in PHP’s image-processing functions. These flaws could enable attackers to leak sensitive heap memory or trigger...

Sarah simpson
Sarah simpson
May 16, 2026 5 Min Read
56 0

Key Takeaways

  • Two critical memory-safety vulnerabilities have been discovered in PHP’s image-processing functions.
  • These flaws could enable attackers to leak sensitive heap memory or trigger denial-of-service attacks using specially crafted JPEG files.
  • Affected PHP versions include 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, and 8.5.* before 8.5.1.
  • Patches are available, and immediate updates are strongly recommended for all affected systems.

A cybersecurity researcher has uncovered two critical memory-safety vulnerabilities within PHP’s image-processing capabilities. These flaws, if exploited, could allow malicious actors to extract confidential data from server memory or initiate denial-of-service (DoS) attacks through the manipulation of JPEG image files.

Table Of Content

  • Key Takeaways
  • PHP Memory Safety Vulnerabilities
  • Affected PHP Versions and Root Cause
  • Exploitation Scenario
  • Heap Buffer Overflow in iptcembed
  • Technical Details and TOCTOU
  • Proof-of-Concept Demonstrations
  • Patches and Remediation
  • What You Should Do

The vulnerabilities were identified by Nikita Sveshnikov, a researcher at Positive Technologies, within PHP’s ext/standard extension. Specifically, the widely utilized getimagesize and iptcembed functions, which handle JPEG metadata and IPTC data respectively, were found to be susceptible.

PHP Memory Safety Vulnerabilities

The first vulnerability, identified as <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-14177 and assigned a CVSS score of 6.3, presents an information disclosure risk. This flaw manifests when PHP’s getimagesize function processes JPEG APP segments in a multi-chunk reading configuration.

Affected PHP Versions and Root Cause

This particular vulnerability impacts PHP 8.1.* versions prior to 8.1.34, 8.2.* versions prior to 8.2.30, 8.3.* versions prior to 8.3.29, 8.4.* versions prior to 8.4.16, and 8.5.* versions prior to 8.5.1.

The core issue lies within the php_read_stream_all_chunks function, which incorrectly concatenates data chunks when reading JPEG application segments. During the processing of APP segments containing metadata like EXIF or IPTC, the function allocates uninitialized heap memory. Critically, it fails to increment the buffer pointer after each read operation. This oversight leads to subsequent data chunks overwriting the beginning of the buffer, leaving the trailing bytes uninitialized and exposing fragments of process memory.

Exploitation Scenario

Attackers can leverage this flaw by crafting malicious JPEG files containing large APP1 segments designed to be read across multiple chunks, especially when the default chunk size of 8,192 bytes is known. When applications process these tampered images via mechanisms like php://filter or other multi-chunk reading methods, uninitialized heap data—potentially containing sensitive information—is copied into the $info['APPn'] array returned by getimagesize.

This vulnerability poses a significant risk to systems with public-facing upload endpoints, content management systems that generate image thumbnails, webmail services, and image content delivery networks (CDNs) that perform server-side analysis of user-provided images. Remote attackers can exploit this flaw if they can compel a vulnerable PHP process to invoke getimagesize on attacker-controlled data.

Heap Buffer Overflow in iptcembed

The second vulnerability affects the iptcembed function, which is responsible for embedding binary IPTC data into JPEG images. This is a classic heap buffer overflow, stemming from a “measure once, read forever” flaw. The function allocates an output buffer based on a single fstat result but then proceeds to read data until the end-of-file (EOF) without performing any capacity checks.

Technical Details and TOCTOU

The root cause is how iptcembed handles non-standard file types such as FIFOs, pipes, and sockets. For these file types, the st_size field returned by fstat is zero, causing the function to allocate an undersized buffer. Subsequently, the code copies input data into the spoolbuf buffer without validating available space, leading to out-of-bounds writes if the stream contains more data than the allocated capacity.

Furthermore, this vulnerability introduces a Time-of-Check to Time-of-Use (TOCTOU) race condition. In this scenario, regular files can grow in size after the initial fstat call but before the read operation completes. Attackers can exploit this by feeding substantial amounts of data through specially crafted JPEG structures that force the parser into a “read everything until EOF” mode, ultimately triggering heap corruption.

Both vulnerabilities exploit weaknesses in PHP’s Zend Engine memory management, specifically within functions that handle JPEG marker processing. The getimagesize flaw impacts the php_read_APP function, which processes application-specific segments (APP0-APP15) containing metadata such as EXIF coordinates, IPTC authorship details, and XMP data.

For CVE-2025-14177, the vulnerable code path initiates when getimagesize allocates memory using emalloc, which returns uninitialized memory pointers. If multi-chunk reading occurs, the php_stream_read macro writes to the same destination address without applying offsets for already-read bytes. This results in the final chunk overwriting the beginning of the buffer while leaving the tail section untouched, exposing uninitialized data.

The iptcembed buffer overflow manifests when processing M_APP13 or M_SOS (start of scan) markers. In these cases, the parser switches to php_iptc_read_remaining mode and continues copying data until EOF. The vulnerable php_iptc_get1 function advances the write pointer (poi) for every byte without performing checks against the allocated spoolbuf_end boundary, leading to the overflow.

Proof-of-Concept Demonstrations

Researchers successfully demonstrated both vulnerabilities through practical exploits. For the memory disclosure flaw, they created a minimal JPEG file with a large APP1 segment designed to be read across multiple 8,192-byte chunks. They then performed heap spraying with marker strings to fill memory and subsequently read the file via php://filter to force multi-chunk processing. The proof-of-concept successfully leaked the marker string “LEAK-MARKER-123!” from uninitialized heap memory.

The iptcembed overflow was showcased using a two-terminal setup involving named pipes (FIFO). One terminal executed PHP, reading from the pipe, while the other fed a crafted JPEG structure followed by 8MB of data. Because FIFOs report an st_size of zero, the allocated buffer was insufficient to contain the incoming stream, causing AddressSanitizer to detect the heap buffer overflow.

Patches and Remediation

PHP developers have addressed CVE-2025-14177 by modifying the php_read_stream_all_chunks function. The fix ensures that the buffer pointer is advanced after each read operation (buffer += read_now), guaranteeing the sequential appending of chunks. This correction was accompanied by a regression test, ext/standard/tests/image/gh20584.phpt, to prevent future reoccurrences.

For the IPTC embed vulnerability, developers introduced a spoolbuf_end parameter to the php_iptc_get1 and php_iptc_put1 functions, enabling robust bounds checking. The updated code now safely returns EOF when the buffer is full, preventing out-of-bounds writes.

What You Should Do

  • Inventory Systems: Immediately identify all servers and containers running PHP. Prioritize public-facing systems, including upload endpoints, CMS thumbnail generators, webmail services, and image CDNs.
  • Update PHP: Apply the latest patched PHP versions as soon as possible. The corrected versions are 8.1.34, 8.2.30, 8.3.29, 8.4.16, and 8.5.1 or later.
  • Monitor Logs: Enhance monitoring for unusual activity related to image processing functions, especially around file uploads and image manipulation.
  • Input Validation: While patches are critical, ensure robust input validation and sanitization for all user-uploaded content, particularly image files.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Linux Kernel Flaw CVE-2024-XXXX Lets Attackers Read SSH Keys

Next Post

JDownloader Site Compromised, Delivers Malware Via Infected Installers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Microsoft Teams Blocks Uninvited Bots From Meetings
July 1, 2026
Anthropic Claude AI Reportedly Uses Hidden Code to Detect Chinese Users
July 1, 2026
US Eases Export Restrictions on Claude Fable 5 and Mythos 5 AI Models
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us