{"uuid": "9bbd91e2-309f-4b35-9b31-fc613b3101d9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "PHP Core Security Audit Results", "description": "\n# PHP Core Security Audit Results\n\nPublished on Apr 10, 2025 by [Roman Pronskiy](https://twitter.com/pronskiy)\n\n[News](https://thephp.foundation/blog/tag/news)\n\nThe PHP Foundation is pleased to announce the completion of a comprehensive security audit of the PHP source code ([php/php-src](https://github.com/php/php-src)), **commissioned by the [Sovereign Tech Agency](https://www.sovereign.tech/)**.\n\nThis initiative was organized in partnership with the [Open Source Technology Improvement Fund](https://ostif.org/) (OSTIF) and executed by the esteemed security group [Quarkslab](https://www.quarkslab.com/).\n\n## Audit Overview\n\nConducted over a two-month period in 2024, the audit encompassed:\n\n*   Development of a threat model tailored to php-src\n*   Manual code reviews\n*   Dynamic testing procedures\n*   Cryptographic assessments\n\nThe collaboration between Quarkslab\u2019s auditors and PHP maintainers ensured a thorough examination of the codebase.\n\n> _\u26a0\ufe0f_  \n> Due to budget constraints, the recent security audit focused on the most critical components of the PHP source code rather than the entire codebase. Organizations interested in sponsoring a comprehensive audit or additional assessments are encouraged to [contact us](mailto:contact@thephp.foundation)!  \n> _\u26a0\ufe0f_\n\n## Key Findings\n\nThe audit identified 27 issues, with 17 having security implications:\n\n*   3 High-severity\n*   5 Medium-severity\n*   9 Low-severity\n\nAdditionally, 10 informational findings were reported.\n\nNotably, four vulnerabilities received CVE identifiers:\n\n*   CVE-2024-9026: Log tampering vulnerability in PHP-FPM, allowing potential manipulation or removal of characters from log messages.\n*   CVE-2024-8925: Flaw in PHP\u2019s multipart form data parsing, potentially leading to data misinterpretation.\n*   CVE-2024-8928: Memory-related vulnerability in PHP\u2019s filter handling, leading to segmentation faults.\n*   CVE-2024-8929: Issue where a malicious MySQL server could cause the client to disclose heap content from other SQL requests.\n\n## Recommendations and Resolutions\n\nQuarkslab\u2019s report commended the overall high quality and specification adherence of the php/php-src project.\n\nThe PHP development team has addressed all identified issues. Users are strongly encouraged to upgrade to the latest PHP versions to benefit from these security enhancements.\n\n## Acknowledgments\n\nWe extend our gratitude to the individuals and organizations that made this audit possible:\n\n*   **The PHP Foundation Team and PHP maintainers:**  \n    Jakub Zelenka, Arnaud Le Blanc, Niels Dossche, Ilija Tovilo, Stas Malyshev, Dmitry Stogov, Derick\u00a0Rethans, and Roman Pronskiy.\n*   **Quarkslab Team:**  \n    Ang\u00e8le Bossuat, Julio Loayza Meneses, Mihail Kirov, Sebastien Rolland, Ramtine Tofighi Shirazi.\n*   **Sovereign Tech Agency:**  \n    Abigail Garner and the team \u2013 for commissioning the audit and all the help.\n*   **OSTIF:**  \n    Amir Montazery, Derek Zimmer, Helen Woeste \u2013 for organizing the collaboration.\n\nThis audit underscores our commitment to enhancing PHP\u2019s security and reliability. We remain dedicated to ongoing improvements and collaborations to ensure PHP\u2019s robustness for the global development community.\n\n## Further Reading\n\n*   [Audit Report](/assets/files/24-07-1730-REP-V1.4_temp.pdf)\n*   [OSTIF Blog](https://ostif.org/php-audit-complete/)\n*   [Quarkslab Blog](https://blog.quarkslab.com/security-audit-of-php-src.html)\n\nIf your company is interested in commissioning another round of security audit, please contact The PHP Foundation team: [contact@thephp.foundation](mailto:contact@thephp.foundation).\n", "creation_timestamp": "2025-04-14T04:19:32.036654+00:00", "timestamp": "2025-04-14T04:19:32.036654+00:00", "related_vulnerabilities": ["CVE-2024-8929", "CVE-2024-9026", "CVE-2024-8928", "CVE-2024-8925"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}