CVE-2025-1735 is a vulnerability affecting multiple versions of PHP (8.1.*, 8.2.*, 8.3.*, and 8.4.*) specifically related to the PostgreSQL (pgsql) and PDO_PGSQL extensions. The issue arises because the escaping functions used for PostgreSQL queries do not properly verify whether the underlying quoting functions have returned errors. This improper error handling can lead to crashes if the PostgreSQL server rejects a string as invalid. While the vulnerability is categorized under CWE-89 (SQL Injection) and CWE-476 (NULL Pointer Dereference), the primary risk here is not direct SQL injection exploitation but rather denial of service (DoS) through application crashes caused by unhandled errors in query escaping. The CVSS v3.1 score is 5.9 (medium severity), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits are currently reported in the wild. The vulnerability affects PHP versions prior to 8.1.33, 8.2.29, and 8.3.23, and presumably 8.4.* versions before a fixed release. The root cause is insufficient validation of error returns from quoting functions, which can cause application crashes when invalid strings are passed to PostgreSQL, potentially leading to denial of service conditions in web applications relying on these PHP versions and extensions.

For European organizations, this vulnerability primarily poses a risk of denial of service rather than data breach or unauthorized data manipulation. Web applications using vulnerable PHP versions with PostgreSQL backends could experience crashes if malicious or malformed input triggers the error condition in the escaping functions. This could disrupt business operations, especially for organizations relying on PHP-based web services and PostgreSQL databases. The impact is more pronounced for high-availability services, e-commerce platforms, and critical infrastructure web portals where downtime can lead to financial losses, reputational damage, and regulatory scrutiny under GDPR if service availability is compromised. Since no direct data confidentiality or integrity compromise is indicated, the threat is mostly operational. However, repeated or targeted exploitation could be used as part of a broader attack strategy to degrade service or distract security teams.

Organizations should immediately verify their PHP versions and upgrade to the fixed releases: 8.1.33 or later, 8.2.29 or later, and 8.3.23 or later once available. Until upgrades are applied, developers should implement additional input validation and sanitization on all user inputs that interact with PostgreSQL queries to minimize the chance of invalid strings reaching the database layer. Employing Web Application Firewalls (WAFs) with rules to detect and block malformed SQL inputs targeting PostgreSQL can help reduce attack surface. Monitoring application logs for unusual query errors or crashes related to PostgreSQL escaping functions can provide early detection of exploitation attempts. Additionally, implementing robust error handling in application code to gracefully manage database errors can prevent application crashes. For critical systems, consider temporarily disabling or restricting access to vulnerable PHP extensions if feasible. Regularly review and test backup and recovery procedures to minimize downtime impact in case of DoS incidents.