Share
## https://sploitus.com/exploit?id=B3FC4FAD-E184-53D3-A7D8-E49C7B4DF82C
# CVE-2025-14177 โ€” PHP `getimagesize()` Heap Memory Leak

> **For authorized penetration testing and security research only.**

## Vulnerability

| Field | Value |
|---|---|
| CVE | CVE-2025-14177 |
| CWE | CWE-524 (Use of Uninitialized Resource) |
| Severity | MODERATE โ€” CVSS 6.3 |
| Root cause | `php_read_stream_all_chunks()` writes successive chunks to `buffer[0]`, overwriting previous data with uninitialized heap memory |

### Affected versions

- PHP  8192 bytes)
- Unusual memory patterns in `$info` array
- Repeated `getimagesize()` calls with `php://filter` wrappers
- Hex-encoded data exfiltration in responses

---

## Remediation

Upgrade PHP to patched version. No workaround โ€” patch required.

```bash
php -v  # verify version
```

If upgrade blocked: strip `APP1` from `$info` before returning to client, or disable `php://filter` in `allow_url_fopen`.

---

## Disclaimer

This tool is for **authorized security testing only**. Unauthorized use against systems you do not own or have explicit written permission to test is illegal.