Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

PHP NULL Pointer Dereference Vulnerability (CVE-2025-6491)

Description

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

Remediation

References

Related Vulnerabilities

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-0372)

WordPress 4.2.x Multiple Vulnerabilities (4.2 - 4.2.12)

PHP Out-of-bounds Read Vulnerability (CVE-2016-5093)

Next.js User Interface (UI) Misrepresentation of Critical Information Vulnerability (CVE-2022-23646)

Moodle CVE-2023-5543 Vulnerability (CVE-2023-5543)

Severity

Medium

Classification

CVE-2025-6491 CWE-476 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Missing Update Known Vulnerabilities