Security researchers at Positive Technologies have disclosed two critical memory-safety vulnerabilities in PHP image-processing functions that allow attackers to leak sensitive heap memory contents or execute denial-of-service attacks through specially crafted JPEG image files. Both vulnerabilities affect PHP versions 8.1 through 8.5 and have been patched in the latest point releases. Organizations running PHP-based web applications should treat this as a priority update.
CVE-2025-14177: Heap Memory Disclosure via getimagesize()
The first vulnerability, tracked as CVE-2025-14177, carries a CVSS score of 6.3 and affects PHP getimagesize() function when processing JPEG APP segments in multi-chunk reading mode. The affected PHP versions are:
- PHP 8.1.x before 8.1.34
- PHP 8.2.x before 8.2.30
- PHP 8.3.x before 8.3.29
- PHP 8.4.x before 8.4.16
- PHP 8.5.x before 8.5.1
The vulnerability stems from a bug in the php_read_stream_all_chunks() function, which incorrectly concatenates data chunks when reading JPEG application segments (APP0 through APP15). These segments contain metadata such as EXIF coordinates, IPTC authorship data, and XMP records. When PHP processes these segments, the function allocates uninitialized heap memory using emalloc() — but critically fails to increment the buffer pointer after each read operation. As a result, subsequent chunks overwrite the beginning of the buffer rather than appending to it, leaving tail bytes uninitialized and exposing fragments of the PHP process heap memory.
How the Exploit Works
An attacker can exploit CVE-2025-14177 by crafting JPEG files with large APP1 segments designed to be read across multiple 8,192-byte chunks (the default PHP chunk size, which is fixed in source code and therefore predictable). When a vulnerable PHP application processes the malicious image via getimagesize() — particularly through php://filter or similar multi-chunk reading mechanisms — uninitialized heap memory is copied into the $info[APPn] array returned by the function and becomes accessible to the attacker.
The attack surface is particularly broad and affects applications across multiple sectors:
- Public-facing file upload endpoints that process or validate images.
- Content management systems that generate thumbnails from uploaded files.
- Webmail services that render embedded images from email attachments.
- Image CDNs and media platforms that perform server-side metadata extraction on user-uploaded content.
Researchers at Positive Technologies demonstrated successful exploitation in a proof-of-concept that leaked the string LEAK-MARKER-123! from uninitialized heap memory — confirming that attacker-controlled heap spray can make sensitive data reliably accessible through this channel.
Second Vulnerability: Heap Buffer Overflow in iptcembed()
The second vulnerability affects the iptcembed() function, which embeds binary IPTC metadata into JPEG images. This is a classic heap buffer overflow caused by what researchers describe as a measure once, read forever flaw. The function allocates an output buffer based on a single fstat() call but continues reading data until EOF without checking buffer capacity against available space.
The root cause involves how iptcembed() handles non-standard file types such as FIFOs, pipes, and sockets. For these file types, the st_size field returned by fstat() is 0, causing the function to allocate a zero-sized or undersized buffer. The code then copies input data byte-by-byte into the spoolbuf buffer without bounds checking, resulting in out-of-bounds writes when the stream contains more data than allocated.
This vulnerability also introduces a time-of-check to time-of-use (TOCTOU) race condition: regular files can grow in size after fstat() completes but before the read operation finishes, potentially triggering the same heap overflow on regular files under race conditions.
Patches and Remediation Steps
PHP developers have addressed both vulnerabilities in recent point releases. The fix for CVE-2025-14177 modifies php_read_stream_all_chunks() to correctly advance the buffer pointer (buffer += read_now) after each read operation, ensuring sequential appending rather than overwriting. For the iptcembed() overflow, developers added boundary parameters to the affected internal functions to enforce capacity limits, returning EOF safely when the buffer is full rather than writing out of bounds.
Organizations should take the following immediate actions:
- Update all PHP installations to patched versions: 8.1.34, 8.2.30, 8.3.29, 8.4.16, or 8.5.1 and above.
- Prioritize public-facing upload endpoints, CMS thumbnail generators, webmail systems, and image CDNs.
- Inventory all hosts and containers running PHP, including Docker images and managed hosting environments.
- Implement file type validation and enforce size limits on image uploads as a defense-in-depth layer.
- Review web application firewall rules and alert on anomalous image upload activity.
PHP powers an estimated 77% of all websites with a known server-side language, making these vulnerabilities a significant risk for unpatched deployments at scale. Given the prevalence of PHP in web applications and the wide availability of JPEG file upload features, organizations should not delay in applying available patches.