This Release is Outdated

The latest release of PHP 8.3 is PHP 8.3.31 . It is recommended to upgrade to the latest release.

PHP 8.3.23 Release Announcement

The PHP development team announces the immediate availability of PHP 8.3.23. This is a security release.

All PHP 8.3 users are encouraged to upgrade to this version.

For source downloads of PHP 8.3.23 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

Source Code

PHP 8.3.23 (tar.gz)

sha256: ac9f3d6e9bcf1d5c4d66d2d954f89852c17fd4c5eba5811a3a8db08f38c908c7
PHP 8.3.23 (tar.bz2)

sha256: 05488f7b967d90a50932f0674dc356e1b795f522f0298b5ce24b680de233c2d4
PHP 8.3.23 (tar.xz)

sha256: 08be64700f703bca6ff1284bf1fdaffa37ae1b9734b6559f8350248e8960a6db

Change Log

core
- Fixed GH-18695 (zend_ast_export() - float number is not preserved).
- Do not delete main chunk in zend_gc.
- Fix compile issues with zend_alloc and some non-default options.
curl
- Fix memory leak when setting a list via curl_setopt fails.
- Fix incorrect OpenSSL version detection.
date
- Fix leaks with multiple calls to DatePeriod iterator current().
fpm
- Fixed GH-18662 (fpm_get_status segfault).
hash
- Fixed bug GH-14551 (PGO build fails with xxhash).
intl
- Fix memory leak in intl_datetime_decompose() on failure.
- Fix memory leak in locale lookup on failure.
odbc
- Fix memory leak on php_odbc_fetch_hash() failure.
opcache
- Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
openssl
- Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
- Fixed bug #74796 (Requests through http proxy set peer name).
phar
- Add missing filter cleanups on phar failure.
- Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek).
phpdbg
- Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.
pdo odbc
- Fix memory leak if WideCharToMultiByte() fails.
pgsql
- Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
- Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735)
random
- Fix reference type confusion and leak in user random engine.
readline
- Fix memory leak when calloc() fails in php_readline_completion_cb().
soap
- Fix memory leaks in php_http.c when call_user_function() fails.
- Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP ExtensionAdd commentMore actions via Large XML Namespace Prefix). (CVE-2025-6491)
standard
- Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220)
tidy
- Fix memory leak in tidy output handler on error.
- Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.