PHP security check uncovers critical vulnerabilities

The Open-Source Technology Improvement Fund (OSTIF), with the support of the Sovereign Tech Fund and in collaboration with Quarkslab and the PHP Foundation, conducted a comprehensive security review of the PHP interpreter (PHP-SRC) last year. This review aimed to improve the security of the widely used scripting language interpreter before the release of PHP 8.4 in November 2024.

27 vulnerabilities found

As part of the audit, which apparently lasted almost two months, the experts from Quarkslab carried out a detailed analysis that included manual code reviews as well as dynamic tests and cryptographic checks. A total of 27 vulnerabilities were identified, including 17 security-related issues. The most serious vulnerabilities discovered include two of high severity and six of medium severity.

Some vulnerabilities identified include:

• A manipulation of PHP logs enabled by a flaw in data parsing logic (CVE-2024-9026).
• Problems in the processing of multipart form submissions that could lead to incorrect data interpretation (CVE-2024-8925).
• A memory issue in the PHP filter that leads to segmentation faults (CVE-2024-8928).
• A vulnerability in the MySQL driver that can expose data from previous queries (CVE-2024-8929).

The PHP Foundation emphasizes in a blog post that only the most critical components of the source code were checked due to budget constraints. The components checked include the PHP FPM (FastCGI Process Manager), the MySQL database driver and cryptographic functions.

heise conference on PHP

The betterCode() PHP, an online conference by iX and dpunkt.verlag in cooperation with thePHP.cc, will take place on November 25, 2025. Interested parties can find out more about the programming language in presentations and discussion panels – and there will also be an opportunity to think outside the box. Discounted tickets are available at the blind-bird rate until the program goes online. If you would like to find out more about the topics of previous years, you can find a review on the conference website.

PHP code meets general security standards

Despite the vulnerabilities identified, the Quarkslab research team rates the general security standard of the PHP code as good. Most of the vulnerabilities identified require specific prerequisites that are rarely found in production environments, according to the blog post.

The vulnerabilities found have since been fixed by the PHP community. Users of the PHP interpreter (PHP-SRC) should update to the latest available version to benefit from the security improvements made.

More information can be found in a detailed report by Quarkslab SAS, the PHP Foundation blog post and an announcement at OSTIF.

(mdo)