PHP 8.3.31 Release Brings Critical Security Patches and Windows Compression Support
PHP 8.3.31 drops today with a heavy focus on closing security holes that could leave web applications exposed to cross site scripting, SQL injection, and memory corruption bugs. The update also finally brings brotli and zstd compression support to the Curl extension on Windows, which removes a long standing performance bottleneck for developers running PHP on Microsoft systems. Server administrators should prioritize this upgrade to keep their stacks secure before attackers start exploiting these known vulnerabilities.
PHP 8.3.31 Adds Brotli And Zstd Support To Windows Curl Extension
The addition of brotli and zstd compression to the Curl extension on Windows addresses a gap that has frustrated developers for years. Previous versions forced Windows users to rely on slower fallback methods or compile custom extensions just to get modern compression working. This update ships with native support, which means faster API responses and reduced bandwidth usage without requiring manual library tweaks. The change comes from contributor Shivam Mathur and should immediately improve performance for applications that pull data from external services.
PHP 8.3.31 Patches Critical Vulnerabilities Across Fpm Mbstring Soap And Standard Extensions
The bulk of this release tackles memory corruption and injection flaws that could allow remote code execution or data leakage. The FastCGI Process Manager now blocks a cross site scripting vector in its status endpoint, which previously leaked sensitive request details to unauthenticated visitors. Memory handling in the Multibyte String extension received a fix for a null pointer dereference triggered by malformed regular expression searches. Server administrators running legacy stacks often notice sudden memory spikes when those malformed strings hit production traffic, and this patch directly addresses that trigger before it crashes worker processes. Developers running older SOAP services will notice three separate patches addressing stale pointers and use after free errors that could corrupt session data or crash Apache workers. The Standard library also closes a signed integer overflow bug in character array offsets and enforces consistent unsigned char handling across ctype functions, which prevents unexpected parsing failures on edge case inputs.
OpenSSL 4.0 Compatibility Adjustments Prevent Connection Failures
The jump to OpenSSL 4.0 introduced breaking changes that caused handshake failures and certificate validation errors in older PHP builds. This release smooths out those compatibility issues by adjusting internal cipher negotiation routines and updating deprecated function calls. Applications relying on modern TLS configurations will now establish connections without throwing obscure SSL error codes. The fix comes from contributors jordikroon and Remi, who tested the changes against the latest OpenSSL headers to ensure stable communication across different server environments.
Firebird Database Driver Blocks Nul Byte Injection Attacks
The PDO Firebird extension previously allowed attackers to bypass input validation by inserting null bytes into quoted strings, which could lead to full database compromise. This update sanitizes string handling routines to reject or properly escape those characters before they reach the query parser. Systems using Firebird for legacy data storage will see immediate protection against this specific injection technique. The patch from SakiTakamachi ensures that parameter binding behaves consistently with other PDO drivers, removing a dangerous edge case that could expose sensitive records.
Release php-8.3.31
Tag for php-8.3.31
Keep an eye on your server logs after applying the update to catch any lingering compatibility quirks. The stack runs cleaner and safer once these patches land, so scheduling a maintenance window now beats dealing with a compromised application later.
