Out of bounds read in php_strip_tags_ex

Publication Date2020-01-23
TypeInformation Disclosure
Affected PHP Versions
  • 7.2.0 - 7.2.26
  • 7.3.0 - 7.2.13
  • 7.4.0 - 7.4.1

CVE Details

When using the fgetss() function to read data while stripping HTML tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14, and 7.4.x below 7.4.2, it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.


fgetss() combines the functionality of fgets() with that of strip_tags(), which removes HTML and PHP tags, as well as null bytes. Considering fgetss() is deprecated, you should not be using it. Instead, you should call strip_tags() on each valid return value of fgets():

while (! feof($fh)) {
    $line = fgets($fh);
    $line = strip_tags($line);
    // do something with $line

When possible, upgrade to PHP 7.2.27 or higher, 7.3.14 or higher, or 7.4.2 or higher.