PHP 8.5.1: Downloads, Changelog, News

Release Information

Release
8.5.1
PHP Version
PHP 8.5
Release Date
Release Type
Security Update
Release Status
Latest
Branch Status
Supported (Latest)

Latest PHP release in the latest version. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.5 continues to receive bug fixes and security fixes until 2027-12-31.

Downloads

Source Code

Git Clone
Use Git to clone the 8.5.1 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.5.1
How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (./buildconf), configuring the build ./configure, and running make.
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.

Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.5.1-x64NTS.zip
Size: 32.98 MiB SHA256: 3dd31ba30ad76d7506422327884bba42034b3f61b4429cb3543dc07cde6a96df
php-8.5.1-x86NTS.zip
Size: 29.48 MiB SHA256: 59aa5b91ab283451be8b0339c50d57bfd672e5ab1996a027d722762457c0dd6e
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.5.1-x64TS.zip
Size: 33.11 MiB SHA256: f7ab14efd387e698684ae3ebead475fb148c7b59342673e394087afdd2f02a80
php-8.5.1-x86TS.zip
Size: 29.48 MiB SHA256: f65bf5d81ecdf4087fad30085d3de8363a93332bf9ac79bed27da479e5edfb0d

Docker/Podman Containers

PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.5.1-cli-alpine

Debian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.5.1-cli
PHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.5.1-fpm-alpine

Debian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.5.1-apache

Debian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.5.1-fpm

ChangeLog

Core

  • Sync all boost.context files with release 1.86.0.
  • Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter).
  • Fixed bug GH-20546 (preserve_none attribute configure check on macOs issue). (David Carlier/cho-m)
  • Fixed bug GH-20286 (use-after-destroy during userland stream_close()).

Bz2

  • Fix assertion failures resulting in crashes with stream filter object parameters.

DOM

  • Fix memory leak when edge case is hit when registering xpath callback.
  • Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase).
  • Fix missing NUL byte check on C14NFile().

Fibers

  • Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value).

Intl

  • Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants).

Lexbor

  • Fixed bug GH-20501 (\Uri\WhatWg\Url lose host after calling withPath() or withQuery()).
  • Fixed bug GH-20502 (\Uri\WhatWg\Url crashes (SEGV) when parsing malformed URL due to Lexbor memory corruption).

LibXML

  • Fix some deprecations on newer libxml versions regarding input buffer/parser handling.

mysqli

  • Make mysqli_begin_transaction() report errors properly.

MySQLnd

  • Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets).

Opcache

  • Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer).

PDO

Phar

  • Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub).
  • Fix broken return value of fflush() for phar file entries.
  • Fix assertion failure when fseeking a phar file out of bounds.

PHPDBG

  • Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().

SPL

  • Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization).

Standard

Streams

  • Fixed bug GH-20370 (User stream filters could violate typed property constraints).

URI

  • Fixed bug GH-20366 (ext/uri incorrectly throws ValueError when encountering null byte).
  • Fixed CVE-2025-67899 (uriparser through 0.9.9 allows unbounded recursion and stack consumption).

XML

  • Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback).

Zip

  • Fix crash in property existence test.
  • Don't truncate return value of zip_fread() with user sizes.

Zlib

  • Fix assertion failures resulting in crashes with stream filter object parameters.

Commit List

Arnaud Le Blanc

  • Remove CE cache from non-interned file cache strings in b062410d32

Daniel Scherzer

  • Revert "Deprecate returning non-string values from a user output handler (#18932)" in GH-20455
  • NEWS: update for PHP 8.5.0RC5, fix next release in 86b0a2a2b0
  • Fix GH-20426: fix Spoofchecker::setRestrictionLevel() error in GH-20427

David Carlier

Gina Peter Banyard

  • sapi/phpdbg: use 'h' ZPP specifier instead of'H' in 414e7db68a
  • sapi/phpdbg: fixed ZPP type violation by using 'h' ZPP specifier instead of 'H' in 37e61a0dc0
  • Fix GH-20553: PDO::FETCH_CLASSTYPE ignores $constructorArgs in PHP 8.5.0 in b9d7268482

Ilija Tovilo

  • Correctly handle extra named args for magic call in debug_backtrace_get_args() in b620d9d228
  • Suppress libxml deprecations in 1754cdc033

Jakub Zelenka

manuel

Michael Orlitzky

  • ext/pcre/tests: support libpcre2-10.47 in bdf62b55bb

Michael Voříšek

  • Sync all boost.context files with release 1.86.0 in 3b2f03d16c
  • Sync all boost.context files with release 1.86.0 in 04bdc4aee0
  • Add "since PHP 8.1" to ReflectionXxx::setAccessible() deprecations in GH-20555

Máté Kocsis

  • ext/uri: Fix the distinction between an empty and a missing query/fragment for WHATWG URLs in GH-20208
  • Fix GH-20366 ext/uri: Do not throw ValueError on null-byte in GH-20489

Niels Dossche

  • pgsql: Fix memory leak when object init fails in GH-20387
  • Fix GH-20374: PHP with tidy and custom-tags in fcc159b4f6
  • tidy: Harden against tidyNodeGetText() failure in 0584e59734
  • Fix crashes when trying to instantiate uninstantiable classes via date static constructors in d3a4b4b09c
  • dom: Fix compile warning due to misplaced const cast in 7c96263cee
  • Fix memory leak in array_diff() with custom type checks in 80b731659a
  • Fix GH-20442: Phar does not respect case-insensitiveness of __halt_compiler() when reading stub in 4ee25395d5
  • Fix GH-20435: SensitiveParameter doesn't work for named argument passing to variadic parameter in 33a2acba44
  • Fix nightly failure due to OnChangeMemoryLimit changes in GH-20450
  • Fix memory leak when edge case is hit when registering xpath callback in e504ab778c
  • Fix GH-20439: xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback in GH-20453
  • xml: Fix unused variable warning in c145c2018e
  • Fix GH-20395: \Dom\ParentNode::querySelector and \Dom\ParentNode::querySelectorAll requires elements in $selectors to be lowercase in GH-20409
  • dom: Fix missing NUL byte check on C14NFile() in 8ad5915756
  • xml: Use safe_emalloc() correctly in 48b19a8ede
  • phar: Fix broken return value of fflush() for phar file entries in 2f9d86b677
  • Revert "ext/phar: Voidify flush function as it always returns EOL" in fd5c14e682
  • Fix assertion failure when fseeking a phar file out of bounds in d9e40372fc
  • Fix crash in property existence test in ext/zip in 46a15ed439
  • Fix assertion failures resulting in crashes with stream filter object parameters in 93ce0500aa
  • libxml: Fix some deprecations regarding input buffer/parser handling in 6054a900ff
  • zip: Don't truncate return value of zip_fread() with user sizes in 2f05830a5f
  • libxml: Fix input buffer deprecation in 8c2407714f
  • Fix GH-20491: SLES15 compile error with mbstring oniguruma in a1912e3cdd
  • Fix GH-20492: mbstring compile warning due to non-strings in 159ef1401c
  • Fix GH-20286: use-after-destroy during userland stream_close() in 27f17c3322
  • Fix GH-20583: Stack overflow in http_build_query via deep structures in 292a7f73ba
  • Fix GH-20584: Information Leak of Memory in 8fe7930533
  • Fix GH-20614: SplFixedArray incorrectly handles references in deserialization in 366ed4c750
  • Fix GHSA-h96m-rvf9-jgm2 in a7f2a15c5b
  • Fix GHSA-www2-q4fc-65wf in 6ba83131aa
  • intl: Fix tests for icu update in b8b7add531

Remi Collet

Tim Düsterhus

  • uri: Update to uriparser-0.9.9-59-gc3b4956 in GH-20437
  • lexbor: Cherry pick "URL: the cloning function does not copy the type for IPv4 and IPv6." in 8e6d375966
  • lexbor: Cherry pick "URL: fixed "use-after-poison" for an empty path entry." in 7610527d75
  • uri: Update to uriparser-0.9.9-79-gf47a7f0 in GH-20671
  • uri: Update to uriparser-0.9.9-85-g9a31011 in GH-20707

Volker Dusch

Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.