Critical PHP PDO Driver Bugs Expose Firebird SQL Injection and PostgreSQL DoS Risks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly disclosed pair of flaws in PHP’s database driver layer shows that even mature code can hide dangerous surprises.

The bugs live inside PHP Data Objects (PDO), the abstraction layer web applications use to talk to databases like Firebird and PostgreSQL. Low level quirks in these drivers let attackers slip malicious input past safe defenses.

The first issue affects the pdo_firebird driver and opens the door to SQL injection through NUL bytes hidden inside properly quoted strings.

The second flaw hits pdo_pgsql, PHP’s PostgreSQL driver, and can crash an application process, causing a denial of service. Both bugs slipped through because the driver layer trusted assumptions about C string handling that do not always hold true.

Researchers Aleksey Solovev and Nikita Sveshnikov from PT Swarm identified both issues during an audit of PDO and its supporting drivers.

Their review went beyond PHP’s own codebase into third party client libraries PDO depends on, uncovering weaknesses that had gone unnoticed for years.

PT Swarm said in a report shared with Cyber Security News (CSN) that the flaws show database security in PHP depends as much on driver internals as on application code.

The impact is significant because Firebird and PostgreSQL are widely used in production, from internal tools to e-commerce platforms. A successful SQL injection could expose sensitive records or bypass authentication entirely.

The denial of service bug can be triggered by submitting malformed input, crashing a PHP worker mid transaction and leaving databases inconsistent.

Critical PHP PDO Driver Bugs

The first vulnerability, tracked as CVE-2026-25289 and rated High severity, centers on how the pdo_firebird driver reconstructs SQL statements after they have already been safely quoted.

Developers often assume calling PDO::quote before PDO::prepare is inherently safe, but this research shows the pattern can be deceptive. The quoting step works fine, but a later preprocessing stage silently breaks the intended string boundaries.

The root cause traces to the driver’s use of the C function strncat, which stops copying data the moment it hits a NUL byte, ignoring the byte length it was told to copy.

Overall architecture of DBMS access in PHP (Source – PT Swarm)

If a quoted value contains a NUL byte, the closing quote gets dropped during reconstruction, and attacker controlled data spills into executable SQL.

In the proof of concept, this allowed a UNION based injection revealing internal database version details that should never have been visible.

PHP maintainers fixed the issue in a routine security release, rewriting the Firebird driver’s token by token reconstruction logic to use a binary safe method instead of the unsafe NUL terminated approach.

Operators running older, unpatched builds remain exposed until they update.

Null Pointer Crash In PostgreSQL Driver

The second flaw, CVE-2026-25290, rated Moderate with a CVSS score around 7.3, affects the pdo_pgsql driver when emulated prepared statements are explicitly enabled.

Under this setting, if a parameter contains an invalid multibyte character sequence for the active connection encoding, libpq fails silently and returns a NULL escaped string.

PDO’s parser then tries to read the length of that NULL value, triggering a null pointer dereference and immediate segmentation fault.

This is more than an inconvenience. In one scenario modeled by PT Swarm, an e-commerce checkout script processed a payment, debited a customer’s balance, and then crashed while inserting the order record, since a malformed byte sequence was slipped into a notes field.

PHP worker process (Source – PT Swarm)

The customer was charged with no order ever created, quietly damaging trust and financial accuracy.

The fix, released in the same coordinated update, ensures the driver checks for a NULL escaped value before dereferencing it, turning a fatal crash into a catchable application error. Developers are strongly encouraged to update PHP across supported branches.

Researchers also recommend treating binary input as untrustworthy, avoiding emulated prepare modes where unnecessary, and wrapping financial workflows inside atomic transactions instead of relying on default autocommit behavior.

These findings remind us that web application security depends not only on the code developers write, but also on the runtime and native libraries underneath it.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.