PHP 8.2.31 Update Patches Critical Security Flaws and Adds Brotli Support to Windows
PHP 8.2.31 drops with a heavy dose of security patches and a long overdue Windows improvement for developers who actually need modern compression. The release tacks on brotli and zstd support for Curl on Windows while squashing multiple vulnerabilities that could expose applications to cross-site scripting, SQL injection, and memory corruption. Running this update keeps servers from getting hit by known exploit chains and stops FPM from leaking status pages to random visitors.
PHP 8.2.31 Brings Brotli and Zstd to Windows Curl
The Windows build of PHP has lagged behind Linux and macOS when it comes to modern compression algorithms, and developers have been working around it for years. This release finally adds native brotli and zstd support to the Windows Curl extension, which means applications can now negotiate these formats without falling back to slower gzip or breaking entirely. The change matters because modern APIs and cloud storage services increasingly demand these formats for bandwidth savings. Skipping this update leaves Windows-based PHP environments stuck negotiating outdated compression or failing requests altogether.
Security Patches Close XSS, SQL Injection, and Memory Corruption Holes
The bulk of this release targets security vulnerabilities that attackers have already figured out how to exploit. The FastCGI Process Manager status page used to leak sensitive information through a straightforward cross-site scripting flaw, which means any public-facing status endpoint could be turned into a vector for session hijacking. PDO_Firebird had a SQL injection vector hiding inside NUL bytes within quoted strings, a classic mistake that happens when input sanitization stops at the first null character. Memory safety takes another hit with fixes for null pointer dereferences in MBString, use-after-free bugs in SOAP, and signed integer overflows in the Standard functions. System administrators frequently see production environments crash or get pivoted because developers assumed internal PHP functions would silently reject malformed input. The SOAP module alone gets three separate CVEs patched, which suggests the extension carries enough legacy baggage that even minor parsing changes can trigger memory corruption.
OpenSSL 4.0 Compatibility and Upgrade Considerations
The OpenSSL extension receives compatibility adjustments for version 4.0, which keeps PHP from choking on newer cryptographic libraries that some distributions are already pushing. This matters because forcing an older OpenSSL version just to keep PHP happy creates a security debt that will eventually bite system administrators. Upgrading requires a standard binary replacement or package manager update depending on the hosting environment. Developers should verify that custom SOAP or Firebird integrations still pass their test suites after the patch, since the underlying input handling changes slightly. The release does not introduce new features that break backward compatibility, but the security hardening means applications relying on previously broken input behavior might need minor adjustments.
Release php-8.2.31 · php/php-src
Tag for php-8.2.31
Grab the update before anyone else does. The Windows compression support alone is worth the downtime, and the security patches keep the usual script kiddies from knocking on your door. Let me know if your SOAP endpoints start throwing weird memory errors after the switch.
