CVE-2025-1735: 
PHP vulnerability analysis and mitigation

CVE-2025-1735 affects PHP versions 8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, and 8.4.* before 8.4.10. The vulnerability exists in the pgsql and pdo_pgsql escaping functions which do not properly check if the underlying quoting functions returned errors. This could lead to potential security issues when interacting with PostgreSQL servers (PHP Advisory, NVD).

The vulnerability stems from PHP's improper implementation of PostgreSQL escape functions. Specifically, the error parameter is not passed to PQescapeStringConn(), preventing error reporting. Additionally, several calls to PQescapeIdentifier() do not check for NULL return values, which is the documented way for these functions to report errors. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) from NIST and 5.9 (MEDIUM) from PHP Group, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (PHP Advisory, NVD).

The vulnerability can result in two primary impacts: potential SQL injection vulnerabilities and application crashes due to null pointer dereferences. If a PostgreSQL server rejects a string as invalid, the lack of proper error checking could lead to security issues or system instability (PHP Advisory).

The vulnerability has been patched in PHP versions 8.1.33, 8.2.29, 8.3.23, and 8.4.10. Users are advised to upgrade to these or later versions to address the security issue (PHP Advisory, NVD).