PHP 8.4.16: Downloads, Changelog, News

Release Information

Release: 8.4.16
PHP Version: PHP 8.4
Release Date: 2025 Dec 18
Release Type: Security Update
Release Status: Latest Release in 8.4
Branch Status: Supported

Latest release for PHP 8.4. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.4 continues to receive bug fixes and security fixes until 2026-12-31.

PHP can be compiled by setting up the dependencies, building the configure script (./buildconf), configuring the build ./configure, and running make.
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.

Windows binaries

Non-Thread Safe Builds

Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.

php-8.4.16-x64NTS.zip

Size: 31.97 MiB SHA256: 53c08791c46d1271ce5acbd7b97f284b0aa0878098a10e8221fa98a9ca1321c8

php-8.4.16-x86NTS.zip

Size: 28.64 MiB SHA256: 821d38a86fdf9f2185e5e61e9772854fc977cd2191c2691072da0b1a6593cab6

Thread-Safe Builds

Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.

php-8.4.16-x64TS.zip

Size: 32.12 MiB SHA256: 5637d84718610497b6ae70e359133143225c9e0b629c7dfc36f5e1333a3806b2

php-8.4.16-x86TS.zip

Size: 28.71 MiB SHA256: 49007cb94e06601fcc0939b74c2c379ec5b577b19203acf1b1c668810728a8b0

Docker/Podman Containers

PHP CLI

PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.4.16-cli-alpine

Debian-based: More compatible with other components, complete, and are widely used.

docker pull php:8.4.16-cli

PHP CLI + Web Server Integration

These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.4.16-fpm-alpine

Debian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.

docker pull php:8.4.16-apache

Debian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.

docker pull php:8.4.16-fpm

ChangeLog

Core

Sync all boost.context files with release 1.86.0.
Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter).
Fixed bug GH-20286 (use-after-destroy during userland stream_close()).

Bz2

Fix assertion failures resulting in crashes with stream filter object parameters.

Date

Fix crashes when trying to instantiate uninstantiable classes via date static constructors.

DOM

Fix memory leak when edge case is hit when registering xpath callback.
Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase).
Fix missing NUL byte check on C14NFile().

Fibers

Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value).

FTP

Fixed bug GH-20601 (ftp_connect overflow on timeout).

GD

Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
Fixed bug GH-20602 (imagescale overflow with large height values).

Intl

Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants).

LibXML

Fix some deprecations on newer libxml versions regarding input buffer/parser handling.

MbString

Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma).
Fixed bug GH-20492 (mbstring compile warning due to non-strings).

mysqli

Make mysqli_begin_transaction() report errors properly.

MySQLnd

Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets).

Opcache

Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer).

PDO

Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180)

Phar

Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub).
Fix broken return value of fflush() for phar file entries.
Fix assertion failure when fseeking a phar file out of bounds.

PHPDBG

Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().

SPL

Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization).

Standard

Fix memory leak in array_diff() with custom type checks.
Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures).
Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()).
Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178)
Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177)

Streams

Fixed bug GH-20370 (User stream filters could violate typed property constraints).

Tidy

Fixed bug GH-20374 (PHP with tidy and custom-tags).

XML

Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback).

Zip

Fix crash in property existence test.
Don't truncate return value of zip_fread() with user sizes.

Zlib

Fix assertion failures resulting in crashes with stream filter object parameters.

Commit List

Arnaud Le Blanc

Remove CE cache from non-interned file cache strings in b062410d32

Daniel Scherzer

Fix GH-20426: fix Spoofchecker::setRestrictionLevel() error in GH-20427

David Carlier

Fix GH-20483: ASAN stack overflow with small fiber.stack_size INI value in d2c5b3b25b
Fix GH-20551: imagegammacorrect out of range gamma value in f88d247ce2
Fix GH-20554: php_cli_server() get http status as string build issue in 9149c35514
Fix GH-20602: imagescale() overflow with large height values in c8e13af455
Fix GH-20601: ftp_connect() timeout argument overflow in 4312a446d0

Gina Peter Banyard

sapi/phpdbg: use 'h' ZPP specifier instead of'H' in 414e7db68a
sapi/phpdbg: fixed ZPP type violation by using 'h' ZPP specifier instead of 'H' in 37e61a0dc0

Ilija Tovilo

Correctly handle extra named args for magic call in debug_backtrace_get_args() in b620d9d228
Suppress libxml deprecations in f7fb13eb07

Jakub Zelenka

Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref in d521259e44
Update NEWS with info about security issues in 769a8807d9

Michael Orlitzky

ext/pcre/tests: support libpcre2-10.47 in bdf62b55bb

Michael Voříšek

Sync all boost.context files with release 1.86.0 in 3b2f03d16c
Sync all boost.context files with release 1.86.0 in 04bdc4aee0

Niels Dossche

pgsql: Fix memory leak when object init fails in GH-20387
Fix GH-20374: PHP with tidy and custom-tags in fcc159b4f6
tidy: Harden against tidyNodeGetText() failure in 0584e59734
Fix crashes when trying to instantiate uninstantiable classes via date static constructors in d3a4b4b09c
dom: Fix compile warning due to misplaced const cast in 7c96263cee
Fix memory leak in array_diff() with custom type checks in 80b731659a
Fix GH-20442: Phar does not respect case-insensitiveness of __halt_compiler() when reading stub in 4ee25395d5
Fix GH-20435: SensitiveParameter doesn't work for named argument passing to variadic parameter in 33a2acba44
Fix memory leak when edge case is hit when registering xpath callback in e504ab778c
Fix GH-20439: xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback in GH-20453
xml: Fix unused variable warning in c145c2018e
Fix GH-20395: \Dom\ParentNode::querySelector and \Dom\ParentNode::querySelectorAll requires elements in $selectors to be lowercase in GH-20409
dom: Fix missing NUL byte check on C14NFile() in 8ad5915756
xml: Use safe_emalloc() correctly in 48b19a8ede
phar: Fix broken return value of fflush() for phar file entries in 2f9d86b677
Revert "ext/phar: Voidify flush function as it always returns EOL" in fd5c14e682
Fix assertion failure when fseeking a phar file out of bounds in d9e40372fc
Fix crash in property existence test in ext/zip in 46a15ed439
Fix assertion failures resulting in crashes with stream filter object parameters in 93ce0500aa
libxml: Fix some deprecations regarding input buffer/parser handling in 6054a900ff
zip: Don't truncate return value of zip_fread() with user sizes in 2f05830a5f
libxml: Fix input buffer deprecation in 8c2407714f
Fix GH-20491: SLES15 compile error with mbstring oniguruma in a1912e3cdd
Fix GH-20492: mbstring compile warning due to non-strings in 159ef1401c
Fix GH-20286: use-after-destroy during userland stream_close() in 27f17c3322
Fix GH-20583: Stack overflow in http_build_query via deep structures in 292a7f73ba
Fix GH-20584: Information Leak of Memory in 8fe7930533
Fix GH-20614: SplFixedArray incorrectly handles references in deserialization in 366ed4c750
dom: Fix compile warning due to misplaced const cast in bd67ba66a8
Fix deprecation warning for libxml SAX header in GH-18594
xml: Backport more deprecation fixes in dd2179433c
Tweak values for test on Windows in GH-20633
dom: Backport test for libxml changes in 688902d455
intl: Fix tests for icu update in 2b04e0831a
Fix GHSA-h96m-rvf9-jgm2 in e6d7d34c1a
Fix GHSA-www2-q4fc-65wf in 7ac9c40f67

Remi Collet

Fix GH-20528: Regression breaks mysql connexion using an IPv6 address enclosed in square brackets in 9d71c1e0b6
NEWS in 769f319867
NEWS in 74c4510da9

Saki Takamachi

Update versions for PHP 8.4.16 in 2890cbbc49