CVE-2025-6491 is a vulnerability identified in the PHP SOAP extension affecting versions 8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, and 8.4.* before 8.4.10. The issue arises during XML parsing when the namespace prefix in the XML exceeds 2 gigabytes in size, which is an abnormally large and malformed input. This triggers a null pointer dereference (CWE-476) within the PHP SOAP extension code, causing the PHP interpreter to crash. The consequence is a denial of service (DoS) condition, impacting the availability of the server running the vulnerable PHP version. The vulnerability does not affect confidentiality or integrity, as it does not allow code execution or data leakage. The CVSS v3.1 score is 5.9 (medium severity), reflecting network attack vector, no privileges required, no user interaction, but high attack complexity due to the need to craft and send extremely large XML payloads. No public exploits or active exploitation have been reported to date. The vulnerability is particularly relevant for web applications or services that consume SOAP-based XML data and do not impose strict input size validations. The PHP Group has acknowledged the issue and is expected to release patches in the specified versions. Until patches are applied, systems remain vulnerable to potential DoS attacks via maliciously crafted SOAP XML requests.

For European organizations, this vulnerability primarily threatens the availability of web services and applications that utilize PHP SOAP extensions for XML processing. Organizations in sectors such as finance, government, healthcare, and telecommunications, which often rely on SOAP-based integrations, could experience service interruptions if targeted. Denial of service attacks exploiting this vulnerability could disrupt critical business operations, leading to downtime, loss of customer trust, and potential regulatory scrutiny under frameworks like GDPR if service availability impacts data processing obligations. Since the vulnerability does not allow data breach or code execution, the confidentiality and integrity of data remain intact. However, the disruption of services could indirectly affect operational continuity and compliance. The medium severity rating suggests that while the risk is not critical, it is significant enough to warrant prompt attention, especially in environments with high availability requirements. The lack of known exploits reduces immediate risk but should not lead to complacency, as attackers may develop exploits once patches are released.

European organizations should implement several specific measures to mitigate this vulnerability: 1) Upgrade PHP installations to the patched versions (8.1.33+, 8.2.29+, 8.3.23+, 8.4.10+) as soon as they become available from the PHP Group. 2) In the interim, configure web application firewalls (WAFs) or XML gateways to enforce strict limits on the size of XML namespace prefixes and overall XML payload size, preventing excessively large inputs from reaching the PHP SOAP parser. 3) Employ input validation and sanitization at the application layer to reject malformed or unusually large XML requests. 4) Monitor application logs and network traffic for anomalous SOAP requests that could indicate attempted exploitation. 5) Consider isolating SOAP processing services in dedicated environments with resource limits to contain potential crashes and prevent cascading failures. 6) Regularly review and update incident response plans to include scenarios involving DoS attacks targeting XML parsing vulnerabilities. These targeted mitigations go beyond generic advice by focusing on controlling XML input size and applying layered defenses specific to SOAP XML processing.