CVEFinder.io

CVE-2025-6491

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

CVSS Score
5.9
Medium
EPSS Score
0.1
Exploit Probability
Published Date
2025-07-13
First Seen: 2026-01-05
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 33.3% of all 329,456 vulnerabilities in our database.

#219,613
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jul 14, 2025
πŸ” Exploitation Status
Poc
Proof-of-concept available
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Partial
Limited system impact
πŸ† Discovered By
Ahmed Lekssays (reporter)
SSVC data provided by CISA
Last Modified 2025-11-04
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE IDs (Weakness Types)
CWE-476

πŸ“¦ Affected Products 4

Vendor Product Status Affected Versions
php php Affected
≥ 8.1.0 < 8.1.33
php php Affected
≥ 8.2.0 < 8.2.29
php php Affected
≥ 8.3.0 < 8.3.23
php php Affected
≥ 8.4.0 < 8.4.10

πŸ”— References 3

https://github.com/php/php-src/security/advisories/G...
Exploit Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/11/4
https://lists.debian.org/debian-lts-announce/2025/07...

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-14177 ⚠️ high 7.5 0.0 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, ... 2025-12-27
CVE-2025-14178 πŸ”Ά medium 6.5 0.1 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, ... 2025-12-27
CVE-2025-14180 ⚠️ high 7.5 0.0 In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 w... 2025-12-27
CVE-2025-1220 ℹ️ low 3.7 0.0 In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like f... 2025-07-13
CVE-2025-1735 πŸ”Ά medium 5.9 0.1 In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functi... 2025-07-13
CVE-2024-11235 ⚠️ high 8.1 1.5 In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator a... 2025-04-04
These CVEs affect the same products