CVE-2025-6491

low-risk

Published 2025-07-13

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

Do I need to act?

0.25% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Php

Affected Vendors

Php

References (4)

Exploit https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x

http://www.openwall.com/lists/oss-security/2025/07/11/4

https://lists.debian.org/debian-lts-announce/2025/07/msg00017.html

Exploit https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal