CVE-2025-14177
Information Leak of Memory in getimagesizeIn PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
We have discovered 2,590,163 live websites that are affected by CVE-2025-14177.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 2,590,163 live websites (35% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 110 versions ( 22% of all versions) |
Common Weakness Enumeration
CWE-125 Out-of-bounds ReadDetails
- Published - Dec 27, 2025
- Updated - Dec 29, 2025
Credits
- Nikita Sveshnikov (Positive Technologies) (reporter)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-14177 United States | 532,748 websites |
 Germany | 516,403 websites |
 France | 181,393 websites |
 Netherlands | 153,924 websites |
 Cyprus | 122,076 websites |
 GB | 120,119 websites |
 Russia | 93,224 websites |
 Sweden | 70,184 websites |
 Spain | 67,063 websites |
 Japan | 66,406 websites |
Website Distribution by TLD
Number of websites using CVE-2025-14177| .com | 942,623 websites |
| .de | 326,659 websites |
| .nl | 147,679 websites |
| .org | 105,503 websites |
| .fr | 78,491 websites |
| .ru | 77,736 websites |
| .co.uk | 76,455 websites |
| .net | 70,431 websites |
| .se | 55,780 websites |
| .com.br | 50,784 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-14177
Top websites that are affected by CVE-2025-14177. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****************.com | United States | *** | |
| ******.com | United States | *** | |
| **************.de | Germany | *** | |
| ***.******.com | United States | *** | |
| ********.com | United States | *** | |
| ******.org | United States | *** | |
| ************.com | United States | *** | |
| *********.space | United States | *** | |
| ********.info | United States | *** | |
| ********.org | United States | *** |
FAQ
CVE-2025-14177 is Out-of-bounds Read in PHP
A total of 2,590,163 websites have been identified as vulnerable to CVE-2025-14177, based on global website indexing conducted by WebTechSurvey.
The PHP is affected by the CVE-2025-14177 vulnerability.
PHP versions up to 8.5.1 are vulnerable to CVE-2025-14177.
CVE-2025-14177 is resolved in version 8.5.1 of PHP.