CVE-2022-31628

CVE-2022-31628 php: phar wrapper can produce a denial of service when using quine gzip file

Publication Date	2022-09-29
Severity	Moderate
Type	Remote Code Execution
Affected PHP Versions	5.6.0 - 5.6.40 7.1.0 - 7.1.33 7.2.0 - 7.2.34 7.3.0 - 7.3.33 7.4.0 - 7.4.30 8.0.0 - 8.0.23 8.1.0 - 8.1.10
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendServer 8.1.20 ZendServer 9.1.15 ZendServer 2019.1.2 ZendServer 2021.3.0

CVE Details

In PHP versions before 7.4.31, 8.0.24, and 8.1.11, the PHAR uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Recommendations

If you use PHAR files to serve your website, the PHAR files utilize gzip compression, and you are on PHP versions prior to 7.4.31, 8.0.24, or 8.1.11, you should update to a patched version of PHP.

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations