CVE-2025-14177
HIGHCVSS v3
7.5
HIGH
EPSS Score
0.1%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Technical Details
- Published
- 12/27/2025
Frequently Asked Questions
What is CVE-2025-14177?
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Is CVE-2025-14177 actively exploited?
Active exploitation of CVE-2025-14177 has not been confirmed. The EPSS score is 0.1%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2025-14177?
CVE-2025-14177 has a CVSS v3 base score of 7.5 (HIGH severity).
Is CVE-2025-14177 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.