This Release is Outdated

The latest release of PHP 8.3 is PHP 8.3.31 . It is recommended to upgrade to the latest release.

PHP 8.3.29 Release Announcement

The PHP development team announces the immediate availability of PHP 8.3.29. This is a security release.

All PHP 8.3 users are encouraged to upgrade to this version.

For source downloads of PHP 8.3.29 please visit our downloads page, Windows source and binaries can also be found there. The list of changes is recorded in the ChangeLog.

Source Code

PHP 8.3.29 (tar.gz)

sha256: 8565fa8733c640b60da5ab4944bf2d4081f859915b39e29b3af26cf23443ed97
PHP 8.3.29 (tar.bz2)

sha256: c7337212e655325d499ea8108fa76f69ddde2fff7cb0fad36aa63eed540cb8a5
PHP 8.3.29 (tar.xz)

sha256: f7950ca034b15a78f5de9f1b22f4d9bad1dd497114d175cb1672a4ca78077af5

Change Log

core
- Sync all boost.context files with release 1.86.0.
- Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter).
- Fixed bug GH-20286 (use-after-destroy during userland stream_close()).
bz2
- Fix assertion failures resulting in crashes with stream filter object parameters.
date
- Fix crashes when trying to instantiate uninstantiable classes via date static constructors.
dom
- Fix missing NUL byte check on C14NFile().
fibers
- Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value).
ftp
- Fixed bug GH-20601 (ftp_connect overflow on timeout).
gd
- Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
- Fixed bug GH-20602 (imagescale overflow with large height values).
intl
- Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants).
libxml
- Fix some deprecations on newer libxml versions regarding input buffer/parser handling.
mbstring
- Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma).
- Fixed bug GH-20492 (mbstring compile warning due to non-strings).
mysqli
- Make mysqli_begin_transaction() report errors properly.
mysqlnd
- Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets).
opcache
- Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer).
pdo
- Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180)
phar
- Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub).
- Fix broken return value of fflush() for phar file entries.
- Fix assertion failure when fseeking a phar file out of bounds.
phpdbg
- Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().
spl
- Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization).
standard
- Fix memory leak in array_diff() with custom type checks.
- Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures).
- Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()).
- Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178)
- Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177)
tidy
- Fixed bug GH-20374 (PHP with tidy and custom-tags).
xml
- Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback).
zip
- Fix crash in property existence test.
- Don't truncate return value of zip_fread() with user sizes.
zlib
- Fix assertion failures resulting in crashes with stream filter object parameters.