Weaponized JPEG Images Could Enable Exploitation of PHP Memory Flaws

A pair of memory-safety bugs lurking inside PHP’s image-handling functions, CVE-2025-14177 and an unpatched heap overflow in iptcembed, could allow attackers to leak sensitive server memory or crash PHP applications using nothing more than a crafted JPEG file.

PHP powers a massive share of the internet. Yet its core C extension, ext/standard, is rarely scrutinized the way frameworks are. That blind spot proved dangerous: Positive Technologies researcher Nikita Sveshnikov uncovered two memory management bugs while auditing the extension’s C code, both triggered through standard JPEG image processing functions.

Together, they demonstrate that even the most routine tasks, reading an image’s dimensions or embedding metadata, can become attack vectors.

PHP Memory Flaws

The first flaw, assigned CVE-2025-14177 with a CVSS score of 6.3 (moderate), lives in the getimagesize() function. When PHP reads a JPEG file containing a large APP segment (like APP1, which stores EXIF or XMP data), the internal helper php_read_stream_all_chunks() reads data in chunks, but contains a critical pointer error.

After each read, the buffer pointer is never advanced. This means the second chunk overwrites the buffer’s start, and the tail bytes are never written, leaving uninitialized heap memory in place.

When the application returns $info[‘APP1’] to the caller, those garbage heap bytes come along for the ride. An attacker who knows the default chunk size (8,192 bytes) can craft a JPEG to deliberately trigger multi-chunk reads and harvest fragments of process memory, potentially exposing tokens, credentials, or other sensitive data stored elsewhere on the heap.

The vulnerability affects PHP 8.1.x before 8.1.34, 8.2.x before 8.2.30, 8.3.x before 8.3.29, 8.4.x before 8.4.16, and 8.5.x before 8.5.1.

Heap Buffer Overflow in iptcembed

The second bug hits the iptcembed() function, which embeds IPTC metadata into JPEG files. The function pre-allocates an output buffer based on fstat()’s reported file size (st_size), then reads from the stream until EOF without ever checking if the buffer is full.

For special files like FIFOs or named pipes, st_size returns 0, indicating the buffer is allocated at a near-zero size. At the same time, the data stream can be arbitrarily large.

This is a classic TOCTOU (Time-of-Check to Time-of-Use) flaw. Even with regular files, a race window exists between the fstat() call and the actual read; if the file grows in that window, the overflow still triggers.

The vulnerable write occurs byte-by-byte in php_iptc_get1(), where each character is appended to the buffer pointer without bounds validation, as confirmed by AddressSanitizer stack traces showing a write past a 1,087-byte-allocated region.

Both bugs were responsibly disclosed to the PHP team in November 2025 and fixed before the research was published. The getimagesize fix is straightforward: the buffer pointer now advances by read_now after each chunk read, ensuring sequential writing.

For iptcembed, a spoolbuf_end bounds parameter was added to php_iptc_get1() and its call chain. When the buffer is full, the function returns EOF instead of writing out of bounds.

Affected Versions & Recommended Actions

Function	Bug Type	CVE	CVSS	Fixed In
getimagesize()	Heap memory disclosure	CVE-2025-14177	6.3	8.1.34, 8.2.30, 8.3.29, 8.4.16, 8.5.1
iptcembed()	Heap buffer overflow	N/A (public issue)	—	PHP commit Nov 26, 2025

Users running PHP applications that process user-supplied images, especially those calling getimagesize() with the $image_info parameter or using iptcembed() on untrusted files, should immediately upgrade to the patched versions listed above.

As a temporary measure, avoid passing untrusted JPEG files through php://filter streams or FIFO-backed paths until patching is complete.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Weaponized JPEG Images Could Enable Exploitation of PHP Memory Flaws appeared first on Cyber Security News.