The PT SWARM article analyzes two vulnerabilities in the PHP core related to JPEG file processing. The first one affects the getimagesize function: due to buffer handling issues, uninitialized memory data may be leaked, leading to exposure of heap fragments. This vulnerability has been assigned the identifier CVE-2025-14177.

The second vulnerability affects the iptcembed function and is a heap buffer overflow: the buffer size is calculated incorrectly and not properly enforced during stream reading, allowing out-of-bounds memory access. The article also demonstrates how such vulnerabilities can be exploited in practice and what changes in the PHP codebase were introduced to mitigate the issue.

📎 Article: https://swarm.ptsecurity.com/hack-the-elephant-one-bite-at-a-time-jpeg-related-memory-safety-bugs-in-php/

💬 Discuss

Analysis of JPEG Processing Vulnerabilities in PHP: Memory Leak and Buffer Overflow