What the 2025 PHP Security Audit Reveals - Why It Matters for Production Systems

Introduction

The core of PHP, one of the most widely deployed backend technologies, has undergone a comprehensive security audit. Commissioned and funded by independent external parties, this audit was conducted by an independent security company. Over the course of 57 days, the company reviewed critical components of the PHP interpreter (php-src) in preparation for the release of PHP 8.4.

This post summarizes the audit’s results, outlines relevant technical risks for teams running PHP in production, and highlights recommended next steps for improving the security posture of PHP-based applications.

Why the Audit Was Conducted

PHP powers a large portion of the modern internet, including e-commerce systems, CMS platforms, enterprise intranets and Software-as-a-Service (SaaS) backends. While its feature set has evolved considerably, the runtime itself remains performance-critical and security-sensitive.

The objective of the audit was not only to identify vulnerabilities, but to assess structural weaknesses, validate assumptions in cryptographic usage, evaluate PHP-FPM behavior, and establish best practices for safe deployment - particularly in environments where multi-tenancy or…