Release Information
- Release Type
- Security Update
- Release Status
- Latest
- Branch Status
- Supported (Latest)
Latest PHP release in the latest version. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.4 continues to receive bug fixes and security fixes until 2026-12-31.
Downloads
Source Code
Git Clone
Use Git to clone the 8.4.5 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.4.5How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.4.5-x64NTS.zip (32.21 MiB)
php-8.4.5-x86NTS.zip (28.89 MiB)
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.4.5-x64TS.zip (32.36 MiB)
php-8.4.5-x86TS.zip (28.96 MiB)
Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.4.5-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.4.5-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.4.5-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.4.5-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.4.5-fpmChangeLog
BCMath
- Fixed bug GH-17398 (bcmul memory leak).
Core
- Fixed bug GH-17623 (Broken stack overflow detection for variable compilation).
- Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account).
- Fix fallback paths in fastlong{add,sub}_function.
- Fixed bug OSS-Fuzz #391975641 (Crash when accessing property backing value by reference).
- Fixed bug GH-17718 (Calling static methods on an interface that has
__callStaticis allowed). - Fixed bug GH-17713 (
ReflectionProperty::getRawValue()and related methods may call hooks of overridden properties). - Fixed bug GH-17916 (Final abstract properties should error).
- Fixed bug GH-17866 (
zend_mm_heapcorrupted error after upgrading from 8.4.3 to 8.4.4). - Fixed GHSA-rwp7-7vc6-8477 (Reference counting in
php_request_shutdowncauses Use-After-Free). (CVE-2024-11235)
DOM
- Fixed bug GH-17609 (Typo in error message: Dom\NO_DEFAULT_NS instead of Dom\HTML_NO_DEFAULT_NS).
- Fixed bug GH-17802 (\Dom\HTMLDocument querySelector attribute name is case sensitive in HTML).
- Fixed bug GH-17847 (xinclude destroys live node).
- Fix using Dom\Node with Dom\XPath callbacks.
FFI
- Fix FFI Parsing of Pointer Declaration Lists.
FPM
- Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env).
GD
- Fixed bug GH-17703 (imagescale with both width and height negative values triggers only an Exception on width).
- Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M).
LDAP
- Fixed bug GH-17704 (
ldap_searchfails when $attributes contains a non-packed array with numerical keys).
LibXML
- Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
- Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong
content-typeheader when requesting a redirected resource). (CVE-2025-1219)
MBString
- Fixed bug GH-17503 (Undefined float conversion in
mb_convert_variables).
Opcache
- Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash).
- Fixed bug GH-17577 (JIT packed type guard crash).
- Fixed bug GH-17747 (Exception on reading property in register-based FETCH_OBJ_R breaks JIT).
- Fixed bug GH-17715 (Null pointer deref in observer API when calling
cases()method on preloaded enum). - Fixed bug GH-17868 (Cannot allocate memory with tracing JIT on 8.4.4).
PDO_SQLite
- Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults).
- Fix cycle leak in sqlite3 setAuthorizer().
- Fix memory leaks in pdo_sqlite callback registration.
Phar
- Fixed bug GH-17808: PharFileInfo refcount bug.
PHPDBG
- Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer).
- Fix memory leak in phpdbg calling registered function.
Reflection
- Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c).
- Fixed missing final and abstract flags when dumping properties.
Standard
- Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths).
Streams
- Fixed bug GH-17650 (realloc with size 0 in
user_filters.c). - Fix memory leak on overflow in _php_stream_scandir().
- Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736)
- Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861)
- Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734)
- Fixed GHSA-v8xr-gpvj-cx9g (Header parser of
httpstream wrapper does not handle folded headers). (CVE-2025-1217)
Windows
- Fixed phpize for Windows 11 (24H2).
- Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib).
Zlib
- Fixed bug GH-17745 (zlib extension incorrectly handles object arguments).
- Fix memory leak when encoding check fails.
- Fix zlib support for large files.
Commit List
Arnaud Le Blanc
- Fix
ReflectionProperty::getRawValue()and related methods for properties overridden with hooks in 24b191a4de
Bob Weinand
Christoph M. Becker
- Relax timezone_IDforWindowsID_basic2.phpt expectations in afe8e2cdff
- Fix GH-17503: Undefined float conversion in
mb_convert_variablesin 55e676e181 - Fix
curl_basic_022.phptfor libcurl 8.12.0 in 36d46a4732 - Prevent using system DLLs when running the tests in c7bc14dd6b
- Adapt tests to Windows 11 in 765cebf73a
- Fix GH-17837: ::getColumnMeta() on unexecuted statement segfaults in 260e0e9bd3
- Fix GH-17855: CURL_STATICLIB flag set even if linked with shared lib in 29c39a3d91
- Fix GH-17855: CURL_STATICLIB flag set even if linked with shared lib in 200f16fcf7
- Fix GH-17879:
readfile_variation8-win32.phpttest conflict in 769f292a7a
Daniel Scherzer
- Reflection: show the type of object constants used as default properties in ca0414e64d
- Fix GH-17916: Final abstract properties should error in c0857e0d8a
- Reflection: indicate final and abstract properties in string output in 81f143e71f
David Carlier
- Fix GH-17703: imagescale both width and heigh set with negative values in dc7b661a60
- Fix GH-17772: imagepalettetotruecolor segfault on invalid truecolor pixel in 4d7d01d18e
- Fix GH-17797:
zend_test_compile_stringcrash on invalid script path in 0f63bee3e9 - Fix GH-17899:
zend_test_compile_stringcrash on invalid script path in cefdf00e7e
David Zhong
- Fix FFI Parsing of Pointer Declaration Lists in GH-17794
Dmitry Stogov
- IR Update in c730175be8
- Update IR in 9fb355b863
- Update IR in 352aca1ee1
- Update IR in dd404dc419
- Update IR in 819b1988a0
Ilija Tovilo
- Fix stack overflow detection for variable compilation in 333f5dd848
- Fix segfault when assigning to backing value by-ref from hook in ab6977d36c
- Add CONFLICT all to random port test in 726cf51236
- Fix curl protocols test expectation in 5b87faaaa7
- Use-after-free for ??= due to incorrect live-range calculation in 29dd6eb307
- Fix varying pgsql error message in 115a918790
Jakub Zelenka
- Fix GH-17643: FPM with httpd ProxyPass encoded PATH_INFO env in e48ceb0026
- Fix bug #72666: stat cache not cleared for plain paths in 930624899b
- Fix GHSA-ghsa-v8xr-gpvj-cx9g: http header folding in 9fe496696d
- Fix GHSA-pcmh-g36c-qc44: http headers without colon in 61bb8ef240
- Fix GHSA-52jp-hrpf-2jff: http redirect location truncation in 2488e73d1f
- Fix GHSA-hgf5-96fm-v528: http user header check of crlf in 963551715a
- Fix incorrectly ported tests for http in 789132c74f
- Update NEWS with entries for security fixes in 689c019f54
Michael Orlitzky
- ext/gd/tests: backport optional PNG support in 065b4ec125
- Fix GH-17891
gh17373.phpttest issue without freetype support in 174a7fe6f9
ndossche
- Partially fix GH-17387 in 5447473785
- Fix memory leak in phpdbg calling registered function in 62bbfdebaa
- Fix memory leak when encoding check fails in a54af45a41
Niels Dossche
- Fix GH-17609: Typo in error message: Dom\NO_DEFAULT_NS instead of Dom\HTML_NO_DEFAULT_NS in 359eb30351
- Fix potential read of uninitialized padding data in DOM in GH-17628
- Fix GH-17654: Multiple classes using same trait causes function JIT crash in f88445bdf8
- Fix GH-17577: JIT packed type guard crash in 0c3cf1f311
- Fix fallback paths in fastlong{add,sub}_function in 7e06a81bbd
- Fix GH-17704:
ldap_searchfails when $attributes contains a non-packed array with numerical keys in 2fb88b2d80 - Fix GH-17650: realloc with size 0 in
user_filters.cin fd5d6ad5bd - Add .gitignore section for additional test build files in 6ea1c7cb5b
- Fix GH-17745: zlib extension incorrectly handles object arguments in 4b5c29ef50
- Fix GH-17747: Exception on reading property in register-based FETCH_OBJ_R breaks JIT in 34d8befe8d
- Fix memory leak on overflow in
_php_stream_scandir()in 678ecff980 - Fix zlib support for large files in 5aaf7b4937
- Fix GH-17808: PharFileInfo refcount bug in e735d2bc3b
- Fix GH-17802: \Dom\HTMLDocument querySelector attribute name is case sensitive in HTML in 3a4a320386
- Fix lowercase HTML attribute exceptions in 74df3e0404
- NEWS for GH-17794 in 86f5a31e5b
- Fix GH-17847: xinclude destroys live node in 9becccef17
- Fix using Dom\Node with Dom\XPath callbacks in 7974c62873
- Fix cycle leak in sqlite3 setAuthorizer() in 353f21487f
- Fix memory leaks in pdo_sqlite callback registration in 635fe263ac
- Fix GH-17868: Cannot allocate memory with tracing JIT on 8.4.4 in 5ede5415e1
- Fix GH-17866:
zend_mm_heapcorrupted error after upgrading from 8.4.3 to 8.4.4 in 2542357b6d - Backport GH-17869 to PHP 8.3 JIT in 3b4a58da44
- Fix GHSA-wg4p-4hqh-c3g9 in 3377d4fb4c
Remi Collet
- relax test for zlib-ng in ed1d51fa4f
- zip version is now 1.22.5 in 04a33a1122
Saki Takamachi
- Fixed GH-17398: bcmul memory leak in GH-17615
- follow up for GH-17615 in 18d96671a5
- Update versions for PHP 8.4.5 in 23e05bdcf2
Shivam Mathur
- ci: add workflow to trigger windows builds in f4aadb5537
Tim Düsterhus
zend_execute: Suppress values inUnhandledMatchErrorforzend.exception_ignore_args=1in GH-17619- Disallow calls to abstract
__call()/__callStatic()in GH-17719 - Free the trampoline when deprecation on materializing
__callStatic()of trait throws in GH-17729 - Fix GHSA-p3x9-6h7p-cgfc: libxml streams wrong
content-typeon redirect in e22b3a3708