What’s New in PHP 8.5.1? Detailed Security Fixes and Component Updates
PHP 8.5.1, a security‑focused release, brings numerous bug fixes across core, extensions, and libraries, urging all PHP 8.5 users to upgrade and providing links to official download pages and the full changelog for developers to review.
Release Overview
PHP 8.5.1 is a security‑only update for the PHP 8.5 branch. All users of PHP 8.5 should upgrade to this version.
Core Changes
Synchronised all boost.context files with version 1.86.0.
Fixed GH‑20435 – SensitiveParameter is not applicable when passing named arguments to variadic functions.
Fixed GH‑20546 – preserve_none attribute configuration check issue on macOS.
Fixed GH‑20286 – use‑after‑destroy during user‑space stream_close().
Extension Fixes
Bz2 : Resolved an assertion failure that caused a crash when stream filter object parameters were used.
DOM : Patched a memory leak when registering XPath callbacks under special conditions; fixed GH‑20395 (querySelector/querySelectorAll require lowercase selectors); added missing NUL‑byte check in C14NFile().
Fibers : Fixed GH‑20483 – ASAN stack overflow when fiber.stack_size INI value is small.
Intl : Fixed GH‑20426 – Spoofchecker::setRestrictionLevel() error message missing constant.
Lexbor : Fixed GH‑20501 – \Uri\WhatWg\Url loses host after withPath() or withQuery(); Fixed GH‑20502 – memory corruption causing SEGV on malformed URLs.
LibXML : Addressed deprecation issues related to input buffers and parser handling in newer libxml versions.
MySQLnd : Fixed GH‑20528 – regression causing IPv6 address connections in brackets to fail.
Opcache : Fixed GH‑20329 – opcache.file_cache corruption when global string buffer is full.
PDO : Fixed GH‑20553 – PDO::FETCH_CLASSTYPE ignores $constructorArgs in PHP 8.5.0; Fixed GHSA‑8xr5‑qppj‑gvwj (PDO quoting result null deref, CVE‑2025‑14180).
Phar : Fixed GH‑20442 – case‑insensitive handling of __halt_compiler() when reading stub; corrected fflush() return‑value error; fixed assertion failure when using fseek beyond bounds.
PHPDBG : Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().
SPL : Fixed GH‑20614 – SplFixedArray mishandles references during unserialisation.
Standard : Fixed memory leak in array_diff() and added custom type checks; Fixed GH‑20583 – stack overflow in http_build_query() via deep structures; Fixed GHSA‑www2‑q4fc‑65wf (null‑terminated byte in dns_get_record()); Fixed GHSA‑h96m‑rvf9‑jgm2 – heap buffer overflow in array_merge() (CVE‑2025‑14178); Fixed GHSA‑3237‑qqm7‑mfv7 – memory info leak in getimagesize() (CVE‑2025‑14177).
URI : Fixed GH‑20366 – ext/uri throws ValueError on null byte; Fixed CVE‑2025‑67899 – uriparser recursion and stack consumption issue.
XML : Fixed GH‑20439 – xml_set_default_handler() mishandles special characters in attribute values.
Zip : Fixed crash in attribute existence test; stopped truncating zip_fread() return value when user‑specified size is used.
Zlib : Fixed assertion failure and crash caused by stream filter object parameters.
Resources
Release announcement: https://php.net/releases/8_5_1.php
Downloads: https://php.net/downloads/
Windows binaries: https://windows.php.net/download
Full changelog: https://php.net/ChangeLog-8.php
Detailed release list (gist): https://gist.github.com/edorian/bed6e9fd6f7f886a74a5818624751aa3
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
21CTO
21CTO (21CTO.com) offers developers community, training, and services, making it your go‑to learning and service platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.