CVE-2025-1735: 
PHP vulnerability analysis and mitigation

CVE-2025-1735 is a critical security vulnerability discovered in PHP's PostgreSQL extension that affects versions prior to 8.1.33, 8.2.29, 8.3.23, and 8.4.10. The vulnerability was discovered in February 2025 and stems from inadequate error checking during string escaping operations in the pgsql extension (Cyber Security News, GBHackers).

The vulnerability occurs when PHP's pgsql extension fails to properly check for errors during the escaping of user-supplied data. Specifically, the extension does not pass error parameters to the PQescapeStringConn() function, preventing it from reporting encoding errors. Additionally, multiple calls to PQescapeIdentifier() fail to check for NULL return values, which represents the documented method for error reporting. The vulnerability carries a CVSS score of 9.1, indicating critical severity (Cyber Security News).

The vulnerability can lead to SQL injection attacks, allowing attackers to potentially gain unauthorized access to sensitive data or manipulate the database. Additionally, the improper error handling can result in application crashes due to null pointer dereferences, leading to service disruptions (GBHackers).

Administrators and developers are urged to update their PHP installations to the patched versions: 8.1.33, 8.2.29, 8.3.23, or 8.4.10. These updates address the vulnerability by restoring proper error-handling mechanisms in the affected extensions. Additionally, it is recommended to audit applications for unsafe use of database escaping (GBHackers).