CVE-2025-6491: 
PHP vulnerability analysis and mitigation

CVE-2025-6491 is a NULL Pointer Dereference vulnerability discovered in PHP's SOAP Extension. The vulnerability affects PHP versions 8.1. before 8.1.33, 8.2. before 8.2.29, 8.3. before 8.3.23, and 8.4. before 8.4.10. When parsing XML data in SOAP extensions, an overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. The vulnerability was discovered by Ahmed Lekssays from Qatar Computing Research Institute (PHP Advisory).

The vulnerability occurs in PHP installations with the SOAP extension enabled when using libxml2 versions prior to 2.13. The issue stems from libxml2's inability to correctly handle calls to xmlNodeSetName() with names longer than 2GB, resulting in the node object being left in an invalid state with a NULL name. This subsequently causes a NULL pointer dereference during message serialization when using the name. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (PHP Advisory, Ubuntu).

The primary impact of this vulnerability is a denial of service condition. When exploited, it causes a segmentation fault leading to PHP process termination, which can disrupt web applications using SOAP functionality. The vulnerability can be triggered when a SoapVar is created with a qualified name based on user-controlled SOAP data (PHP Advisory).

The vulnerability has been patched in PHP versions 8.1.33, 8.2.29, 8.3.23, and 8.4.10. Users are advised to upgrade to these or later versions to mitigate the vulnerability. The fix has been implemented through commits in the PHP source code repository (Debian, Ubuntu).