October 19, 2023

CVE-2023-3823: Overview and Mitigation Steps for PHP Applications

PHP Development

CVE-2023-3823 is a high-severity PHP vulnerability that relates to the use of libmxl within PHP applications. In this blog we give an overview of the CVE, how it works, consequences of potential exploits, and how to mitigate this CVE on your PHP applications.

Back to top

What Is CVE-2023-3823?

CVE-2023-3823 is a vulnerability that relates to PHP’s use of libxml. The XML functions provided by PHP’s XML extension rely on libxml’s global state to track configuration variables, including whether external entities are loaded.

Unless the user explicitly changes it by calling a configuration change function, the state is assumed to be unchanged. This is the crux of the vulnerability. Because the state is global during a process, other PHP modules may also use libxml within the same process, change the state during the same process, and leave it in an unexpected state, such as allowing external entities to be loaded. 

This can lead to a situation where XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. Once enabled, this vulnerable state may persist in the same process across many requests, until the process is shut down or restarted.

When Was CVE-2023-3823 Disclosed?

CVE-2023-3823 was disclosed publicly by the PHP community on August 4th, 2023, and published by security communities less than a week later.

How Does CVE-2023-3823 Work?

Another module may use libxml and change its global configuration state, leave it changed, and lead to unexpected configurations, including allowing external entities to load. This could allow external XML to be parsed with external entities loaded, disclosing any local files accessible to PHP.

Who Does CVE-2023-3823 Impact?

Anyone running PHP that parses or interacts with XML documents.

Back to top

Consequences of a CVE-2023-3823 Exploit

The surface consequence of this exploit is that any local files accessible to PHP may be disclosed to a malicious party. That may not seem like a huge impact, but a savvy person could gather important information this way, including information concerning other vulnerabilities.

Back to top

CVE-2023-3823 Mitigation Options

The best mitigation is to receive a security patch. The PHP community has patched PHP 8.0, 8.1, and 8.2 with patches 30, 22, and 8 respectively. For those still on versions outside of community support, such as PHP 7.4, Zend by Perforce backports these patches for those versions. We had the fix for CVE-2023-3823 backported all the way back to PHP 7.2 by August 14th, 2023.

There’s also a temporary but less secure way to mitigate this vulnerability by setting a custom external entity loader for your application, which does nothing but return null.

Setting an External Entity Loader

Setting a custom external entity loader is fairly simple. One just has to call the function and pass it the custom function:

libxml_set_external_entity_loader(function () { return null; });


Keep in mind that simply setting it to null leaves it as default, which does nothing to mitigate the issue. “What not to do” example of setting it to null:



PHP 8.0.29 and Before

Please be sure to upgrade to PHP 8.0.30 to receive the patch that mitigates this vulnerability.

PHP 8.1.21 and Before

Please be sure to upgrade to PHP 8.1.22 to receive the patch that mitigates this vulnerability.

Zend 7.x Versions

If you're using PHP 7.x versions, be sure to reach out to our team for information on our LTS options (which have backported patches for PHP 7.2, 7.3, 7.4 and 8.0). 

If you're already a ZendPHP customer, please be sure to upgrade your ZendPHP instances to receive the latest patch. You can keep up with our releases here. You’ll see that we patched CVE-2023-3823 in the August release notes.

Back to top

Final Thoughts

For teams using PHP, it's important to patch CVE-2023-3823, and other vulnerabilities as soon as you're able to. The longer you wait after public disclosure, the longer the window of opportunity for potential exploit. If you're using an end of life PHP version, make sure that you're either able to backport security patches in house (harder than it sounds) or ensure you have commercial long-term support that can provide those patches for you.

As always, it's important to keep in mind the risks at hand, too. Not all CVEs are created equally, but high severity vulnerabilities like CVE-2023-3823 are important to keep an eye on. If you don't stay patched against these types of CVEs, you risk your company becoming the next headline. And, in the case of data breaches and exploits, not all publicity is good publicity.

Get Support for Your EOL PHP

A detailed table showing Zend's support PHP 7.2, PHP 7.3, PHP 7.4, PHP 8.0, PHP 8.1, and PHP 8.2.

Zend offers patched EOL PHP builds via their PHP long-term support offering. Learn more about the versions we support, and how we provide patches by visiting our PHP LTS solutions page today.

Explore LTS Options

Additional Resources

Back to top