CVE-2025-6491 is a medium-severity vulnerability identified in multiple PHP versions (8.1.*, 8.2.*, 8.3.*, and 8.4.*) prior to specific patch releases (8.1.33, 8.2.29, 8.3.23, and 8.4.10 respectively). The vulnerability arises in the SOAP extension of PHP when parsing XML data containing an excessively large XML namespace prefix exceeding 2 gigabytes in size. This malformed input triggers a NULL pointer dereference (CWE-476), which causes the PHP process handling the request to crash, leading to a denial of service (DoS) condition. The issue does not impact confidentiality or integrity but directly affects availability by crashing the server or service running PHP. The vulnerability can be exploited remotely over the network without authentication or user interaction; however, the attack complexity is high due to the need to craft and send a very large XML payload that triggers the NULL pointer dereference. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 5.9, reflecting a medium severity level with network attack vector, no privileges required, no user interaction, and impact limited to availability. This vulnerability is particularly relevant for web applications and services using PHP SOAP extensions to process XML data, as they may be susceptible to remote DoS attacks by maliciously crafted XML inputs.

For European organizations, the primary impact of CVE-2025-6491 is the potential disruption of web services and applications relying on vulnerable PHP versions with SOAP extensions enabled. This could lead to temporary unavailability of critical business applications, customer-facing websites, or internal services, affecting operational continuity and potentially causing reputational damage. Industries with high reliance on PHP-based SOAP web services, such as financial services, e-government portals, healthcare systems, and telecommunications, may experience service interruptions. Although the vulnerability does not expose sensitive data or allow code execution, the denial of service could be leveraged as part of a larger attack campaign to degrade service availability or as a distraction while other attacks are conducted. Given the medium severity and lack of known exploits, the immediate risk is moderate, but organizations should prioritize patching to prevent future exploitation and maintain service reliability.

To mitigate CVE-2025-6491, European organizations should: 1) Identify all PHP instances running versions 8.1.*, 8.2.*, 8.3.*, or 8.4.* prior to the fixed releases (8.1.33, 8.2.29, 8.3.23, 8.4.10) especially those with SOAP extensions enabled. 2) Apply official PHP patches or upgrade to the fixed versions as soon as they become available to eliminate the vulnerability. 3) If immediate patching is not feasible, implement network-level protections such as Web Application Firewalls (WAFs) with custom rules to detect and block unusually large XML namespace prefixes or oversized XML payloads targeting SOAP endpoints. 4) Monitor logs and network traffic for anomalous XML requests that could indicate attempted exploitation. 5) Limit exposure of SOAP services to trusted networks or authenticated users where possible to reduce attack surface. 6) Conduct regular vulnerability scans and penetration testing focused on SOAP and XML processing components to detect similar issues proactively. These steps go beyond generic advice by emphasizing targeted detection, network filtering, and prioritization of patching based on SOAP usage.