CVE-2023-0662

DOS vulnerability when parsing multipart request body

Publication Date2023-02-14
SeverityCritical
TypeDenial of Service
Affected PHP Versions
  • 7.1.0-7.1.33
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.27
  • 8.1.0-8.1.15
  • 8.2.0-8.2.2
Fixed Product Versions
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendServer 9.1.16
  • ZendServer 2019.1.3
  • ZendServer 2021.3.1

CVE Details

When parsing a multipart request body, depending on the number of parts and total size of the request body, PHP may fill all memory and/or available disk space, leading to a DoS vector. This vulnerability affects the mod_php and php-fpm SAPIs across all PHP versions.

Recommendations

We strongly recommend upgrading to a known patched version of PHP immediately.

If you cannot, you can mitigate this attack in a couple of ways:

  • Reduce the configured memory_limit in your php.ini to a safe level. The default is 128M; consider a lower value that suits your application needs.
  • Reduce the maximum size of POST requests (or any request receiving a message content body) via the post_max_size value in the php.ini. The default is 8M; consider lowering this.
  • Reduce the maximum file upload size, via the upload_max_filesize setting in the php.ini. By default, this is 2M. (Please be aware that the post_max_size value MUST be larger than this value.)

Additionally, both Apache HTTPD and nginx have configuration settings for rejecting requests that are larger than a configured size (for Apache HTTPD, this is the SecRequestBodyLimit setting via mod_security; for nginx, create a condition based on the $request_length variable).