Release Information
- Release Type
- Security Update
- Release Status
- Latest Release in 8.3
- Branch Status
- Supported
Latest release for PHP 8.3. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.3 continues to receive bug fixes and security fixes until 2025-12-31.
Downloads
Source Code
Git Clone
Use Git to clone the 8.3.29 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.3.29How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.3.29-x64NTS.zip
Size: 30.76 MiB SHA256:
8d597d3ea622a904eb8765c2ff6c817f3d1988e9d036bd9455861eec11fa3ec7 php-8.3.29-x86NTS.zip
Size: 27.62 MiB SHA256:
3c0fbd0206640166d1f5f4133e82965192f45105eeee7e673a6d8d85d06543dd Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.3.29-x64TS.zip
Size: 30.91 MiB SHA256:
ca23b36638a42616f9ed93502679ff46e2109da841028ba916f3e4764149ecbe php-8.3.29-x86TS.zip
Size: 27.61 MiB SHA256:
64ddf80c885ef3e15af908db05164bb579f227ffe7949798843fbd3bd830335c ChangeLog
Core
- Sync all
boost.context files with release 1.86.0. - Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter).
- Fixed bug GH-20286 (use-after-destroy during userland
stream_close()).
Bz2
- Fix assertion failures resulting in crashes with stream filter object parameters.
Date
- Fix crashes when trying to instantiate uninstantiable classes via date static constructors.
DOM
- Fix missing NUL byte check on C14NFile().
Fibers
- Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value).
FTP
- Fixed bug GH-20601 (
ftp_connectoverflow on timeout).
GD
- Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
- Fixed bug GH-20602 (imagescale overflow with large height values).
Intl
- Fixed bug GH-20426 (
Spoofchecker::setRestrictionLevel()error message suggests missing constants).
LibXML
- Fix some deprecations on newer libxml versions regarding input buffer/parser handling.
MbString
- Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma).
- Fixed bug GH-20492 (mbstring compile warning due to non-strings).
mysqli
- Make
mysqli_begin_transaction()report errors properly.
MySQLnd
- Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets).
Opcache
- Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer).
PDO
- Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180)
Phar
- Fixed bug GH-20442 (Phar does not respect case-insensitiveness of
__halt_compiler()when reading stub). - Fix broken return value of
fflush()for phar file entries. - Fix assertion failure when fseeking a phar file out of bounds.
PHPDBG
- Fixed ZPP type violation in
phpdbg_get_executable()andphpdbg_end_oplog().
SPL
- Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization).
Standard
- Fix memory leak in
array_diff()with custom type checks. - Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures).
- Fixed GHSA-www2-q4fc-65wf (Null byte termination in
dns_get_record()). - Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in
array_merge()). (CVE-2025-14178) - Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177)
Tidy
- Fixed bug GH-20374 (PHP with tidy and custom-tags).
XML
- Fixed bug GH-20439 (
xml_set_default_handler()does not properly handle special characters in attributes when passing data to callback).
Zip
- Fix crash in property existence test.
- Don't truncate return value of
zip_fread()with user sizes.
Zlib
- Fix assertion failures resulting in crashes with stream filter object parameters.
Commit List
Arnaud Le Blanc
- Remove CE cache from non-interned file cache strings in b062410d32
Daniel Scherzer
David Carlier
- Fix GH-20483: ASAN stack overflow with small fiber.stack_size INI value in d2c5b3b25b
- Fix GH-20551: imagegammacorrect out of range gamma value in f88d247ce2
- Fix GH-20554:
php_cli_server()get http status as string build issue in 9149c35514 - Fix GH-20602:
imagescale()overflow with large height values in c8e13af455 - Fix GH-20601:
ftp_connect()timeout argument overflow in 4312a446d0 - Fix GH-20603 issue on windows 32 bits in 08bd4909fe
Eric Mann
- Update versions for PHP 8.3.29 in 2fe579bc26
Gina Peter Banyard
- sapi/phpdbg: use 'h' ZPP specifier instead of'H' in 414e7db68a
- sapi/phpdbg: fixed ZPP type violation by using 'h' ZPP specifier instead of 'H' in 37e61a0dc0
Ilija Tovilo
- Correctly handle extra named args for magic call in
debug_backtrace_get_args()in b620d9d228 - Suppress libxml deprecations in f7fb13eb07
Jakub Zelenka
- Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref in ecf82e74b6
- Update NEWS with info about security issues in 304596bbf8
Michael Orlitzky
- ext/pcre/tests: support libpcre2-10.47 in bdf62b55bb
Michael Voříšek
- Sync all
boost.context files with release 1.86.0 in 3b2f03d16c
Niels Dossche
- pgsql: Fix memory leak when object init fails in GH-20387
- Fix GH-20374: PHP with tidy and custom-tags in fcc159b4f6
- tidy: Harden against tidyNodeGetText() failure in 0584e59734
- Fix crashes when trying to instantiate uninstantiable classes via date static constructors in d3a4b4b09c
- dom: Fix compile warning due to misplaced const cast in 7c96263cee
- Fix memory leak in
array_diff()with custom type checks in 80b731659a - Fix GH-20442: Phar does not respect case-insensitiveness of
__halt_compiler()when reading stub in 4ee25395d5 - Fix GH-20435: SensitiveParameter doesn't work for named argument passing to variadic parameter in 33a2acba44
- Fix GH-20439:
xml_set_default_handler()does not properly handle special characters in attributes when passing data to callback in GH-20453 - dom: Fix missing NUL byte check on C14NFile() in 8ad5915756
- xml: Use
safe_emalloc()correctly in 48b19a8ede - phar: Fix broken return value of
fflush()for phar file entries in 2f9d86b677 - Fix assertion failure when fseeking a phar file out of bounds in d9e40372fc
- Fix crash in property existence test in
ext/zipin 46a15ed439 - Fix assertion failures resulting in crashes with stream filter object parameters in 93ce0500aa
- libxml: Fix some deprecations regarding input buffer/parser handling in 6054a900ff
- zip: Don't truncate return value of
zip_fread()with user sizes in 2f05830a5f - libxml: Fix input buffer deprecation in 8c2407714f
- Fix GH-20491: SLES15 compile error with mbstring oniguruma in a1912e3cdd
- Fix GH-20492: mbstring compile warning due to non-strings in 159ef1401c
- Fix GH-20286: use-after-destroy during userland
stream_close()in 27f17c3322 - Fix GH-20583: Stack overflow in http_build_query via deep structures in 292a7f73ba
- Fix GH-20584: Information Leak of Memory in 8fe7930533
- Fix GH-20614: SplFixedArray incorrectly handles references in deserialization in 366ed4c750
- dom: Fix compile warning due to misplaced const cast in bd67ba66a8
- Fix GHSA-h96m-rvf9-jgm2 in 3529508a7a
- Fix GHSA-www2-q4fc-65wf in 56cbadf468
- intl: Fix tests for icu update in 5eefdbc455
Remi Collet
- Fix GH-20528: Regression breaks mysql connexion using an IPv6 address enclosed in square brackets in 9d71c1e0b6
- NEWS in 769f319867