cbcvebase.
CVE-2025-6491
published 2025-07-13

CVE-2025-6491: In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large…

medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

Affected

14 ranges
VendorProductVersion rangeFixed in
debianphp7.4< php7.4 7.4.33-1+deb11u9 (bullseye)php7.4 7.4.33-1+deb11u9 (bullseye)
debianphp8.2< php7.4 7.4.33-1+deb11u9 (bullseye)php7.4 7.4.33-1+deb11u9 (bullseye)
debianphp8.4< php7.4 7.4.33-1+deb11u9 (bullseye)php7.4 7.4.33-1+deb11u9 (bullseye)
msrcazl3_php_8.3.23-1_on_azure_linux_3.0
msrccbl2_php_8.1.32-1_on_cbl_mariner_2.0
msrccbl2_php_8.1.33-1_on_cbl_mariner_2.0
phpphp>= 8.1.0 < 8.1.338.1.33
phpphp>= 8.2.0 < 8.2.298.2.29
phpphp>= 8.3.0 < 8.3.238.3.23
phpphp>= 8.4.0 < 8.4.108.4.10
php_groupphp>= 8.1.* < 8.1.338.1.33
php_groupphp>= 8.2.* < 8.2.298.2.29
php_groupphp>= 8.3.* < 8.3.238.3.23
php_groupphp>= 8.4.* < 8.4.108.4.10

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
osv5.9MEDIUM