By rssfeeds-admin 
PHP powers a massive share of the internet. Yet its core C extension, ext/standard, is rarely scrutinized the way frameworks are. That blind spot proved dangerous: Positive Technologies researcher Nikita Sveshnikov uncovered two memory management bugs while auditing the extension’s C code, both triggered through standard JPEG image processing functions.
Together, they demonstrate that even the most routine tasks, reading an image’s dimensions or embedding metadata, can become attack vectors.
PHP Memory Flaws
The first flaw, assigned CVE-2025-14177 with a CVSS score of 6.3 (moderate), lives in the getimagesize() function. When PHP reads a JPEG file containing a large APP segment (like APP1, which stores EXIF or XMP data), the internal helper php_read_stream_all_chunks() reads data in chunks, but contains a critical pointer error.
After each read, the buffer pointer is never advanced. This means the second chunk overwrites the buffer’s start, and the tail bytes are never written, leaving uninitialized heap memory in place.
When the application returns $info[‘APP1’] to the caller, those garbage heap bytes come along for the ride. An attacker who knows the default chunk size (8,192 bytes) can craft a JPEG to deliberately trigger multi-chunk reads and harvest fragments of process memory, potentially exposing tokens, credentials, or other sensitive data stored elsewhere on the heap.
The vulnerability affects PHP 8.1.x before 8.1.34, 8.2.x before 8.2.30, 8.3.x before 8.3.29, 8.4.x before 8.4.16, and 8.5.x before 8.5.1.
Heap Buffer Overflow in iptcembed
The second bug hits the iptcembed() function, which embeds IPTC metadata into JPEG files. The function pre-allocates an output buffer based on fstat()’s reported file size (st_size), then reads from the stream until EOF without ever checking if the buffer is full.
For special files like FIFOs or named pipes, st_size returns 0, indicating the buffer is allocated at a near-zero size. At the same time, the data stream can be arbitrarily large.
This is a classic TOCTOU (Time-of-Check to Time-of-Use) flaw. Even with regular files, a race window exists between the fstat() call and the actual read; if the file grows in that window, the overflow still triggers.
The vulnerable write occurs byte-by-byte in php_iptc_get1(), where each character is appended to the buffer pointer without bounds validation, as confirmed by AddressSanitizer stack traces showing a write past a 1,087-byte-allocated region.
Both bugs were responsibly disclosed to the PHP team in November 2025 and fixed before the research was published. The getimagesize fix is straightforward: the buffer pointer now advances by read_now after each chunk read, ensuring sequential writing.
For iptcembed, a spoolbuf_end bounds parameter was added to php_iptc_get1() and its call chain. When the buffer is full, the function returns EOF instead of writing out of bounds.
Affected Versions & Recommended Actions
| Function | Bug Type | CVE | CVSS | Fixed In |
|---|---|---|---|---|
getimagesize() | Heap memory disclosure | CVE-2025-14177 | 6.3 | 8.1.34, 8.2.30, 8.3.29, 8.4.16, 8.5.1 |
iptcembed() | Heap buffer overflow | N/A (public issue) | — | PHP commit Nov 26, 2025 |
Users running PHP applications that process user-supplied images, especially those calling getimagesize() with the $image_info parameter or using iptcembed() on untrusted files, should immediately upgrade to the patched versions listed above.
As a temporary measure, avoid passing untrusted JPEG files through php://filter streams or FIFO-backed paths until patching is complete.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Weaponized JPEG Images Could Enable Exploitation of PHP Memory Flaws appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.