Release Information
- Release Type
- Security Update
- Release Status
- Latest Release in 8.3
- Branch Status
- Supported
Latest release for PHP 8.3. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.3 continues to receive bug fixes and security fixes until 2025-12-31.
Downloads
Source Code
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.3.19
./buildconf
), configuring the build ./configure
, and running make
.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Docker/Podman Containers
docker pull php:8.3.19-cli-alpine
docker pull php:8.3.19-cli
docker pull php:8.3.19-fpm-alpine
docker pull php:8.3.19-apache
docker pull php:8.3.19-fpm
ChangeLog
BCMath
- Fixed bug GH-17398 (bcmul memory leak).
Core
- Fixed bug GH-17623 (Broken stack overflow detection for variable compilation).
- Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account).
- Fix fallback paths in fastlong{add,sub}_function.
- Fixed bug GH-17718 (Calling static methods on an interface that has
__callStatic
is allowed). - Fixed bug GH-17797 (
zend_test_compile_string
crash on invalid script path). - Fixed GHSA-rwp7-7vc6-8477 (Reference counting in
php_request_shutdown
causes Use-After-Free). (CVE-2024-11235)
DOM
- Fixed bug GH-17847 (xinclude destroys live node).
FFI
- Fix FFI Parsing of Pointer Declaration Lists.
FPM
- Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env).
GD
- Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M).
LDAP
- Fixed bug GH-17704 (
ldap_search
fails when $attributes contains a non-packed array with numerical keys).
LibXML
- Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
- Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong
content-type
header when requesting a redirected resource). (CVE-2025-1219)
MBString
- Fixed bug GH-17503 (Undefined float conversion in
mb_convert_variables
).
Opcache
- Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash).
- Fixed bug GH-17577 (JIT packed type guard crash).
- Fixed bug GH-17899 (
zend_test_compile_string
with invalid path when opcache is enabled). - Fixed bug GH-17868 (Cannot allocate memory with tracing JIT).
PDO_SQLite
- Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults).
- Fix cycle leak in sqlite3 setAuthorizer().
Phar
- Fixed bug GH-17808: PharFileInfo refcount bug.
PHPDBG
- Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer).
- Fix memory leak in phpdbg calling registered function.
Reflection
- Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c).
Sockets
- Fixed bug GH-17921 (socket_read/socket_recv overflow on buffer size).
Standard
- Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths).
Streams
- Fixed bug GH-17650 (realloc with size 0 in
user_filters.c
). - Fix memory leak on overflow in _php_stream_scandir().
- Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736)
- Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861)
- Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734)
- Fixed GHSA-v8xr-gpvj-cx9g (Header parser of
http
stream wrapper does not handle folded headers). (CVE-2025-1217)
Windows
- Fixed phpize for Windows 11 (24H2).
- Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib).
Zlib
- Fixed bug GH-17745 (zlib extension incorrectly handles object arguments).
- Fix memory leak when encoding check fails.
- Fix zlib support for large files.
Commit List
Eric Mann
- Update versions for php 8.3.19 in f44f0d6447
Niels Dossche
- Fix branch target in
zend_jit_push_call_frame()
in fdeadcd9ba