
Cloud Vulnerability DB
A community-led vulnerabilities database
CVE-2025-6491 is a vulnerability affecting PHP's SOAP extension that was discovered in July 2025. The vulnerability impacts PHP versions prior to 8.1.33, 8.2.29, 8.3.23, and 8.4.10. This security flaw occurs when a SoapVar instance is created with a fully qualified name exceeding 2GB in size, which can trigger a null pointer dereference (Cybersecurity News, GBHackers).
The vulnerability stems from limitations in libxml2 versions prior to 2.13, which cannot properly handle calls to xmlNodeSetName() with names longer than 2GB. When processing oversized namespace prefixes, this leaves XML node objects in an invalid state with NULL names, subsequently causing crashes during message serialization. The flaw manifests through the xmlBuildQName() function and carries a CVSS score of 5.9, indicating moderate severity (Cybersecurity News).
The primary impact of this vulnerability is the potential for Denial of Service (DoS) conditions. When exploited, the vulnerability causes segmentation faults leading to immediate application termination. Any PHP application using the SOAP extension is at risk of being crashed by a remote attacker, potentially causing service disruption (GBHackers).
The recommended mitigation is to update PHP installations to the patched versions: 8.1.33, 8.2.29, 8.3.23, or 8.4.10. These updates address the vulnerability by implementing proper error-handling mechanisms in the affected SOAP extension. System administrators should treat this update with urgency to prevent potential service disruptions (GBHackers).
Source: This report was generated using AI
Free Vulnerability Assessment
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
"We know that if Wiz identifies something as critical, it actually is."