CVE-2024-1874

Command injection via array-ish $command parameter of proc_open even if`bypass_shell option enabled on Windows

Publication Date	2024-02-25
Severity	Critical
Type	Remote Code Execution
Affected PHP Versions	7.4.0 - 7.4.33 8.0.0 - 8.0.30 8.1.0 - 8.1.27 8.2.0 - 8.2.17 8.3.0 - 8.3.5
Fixed Product Versions	ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendServer 2021.3.4

CVE Details

Since PHP 7.4.0, proc_open() has allowed specifying a command and its arguments as an array, with one argument per array item. proc_open() also includes an option, bypass_shell, that, on Windows, allows bypassing cmd.exe when processing arguments. This is often used to prevent cmd.exe parsing arguments, which can lead to a certain escape sequences spawning external programs. However, in affected PHP versions, if the script passed to proc_open is a .bat or .cmd script, cmd.exe is still implicitly spawned, leading to the vulnerable behavior.

Recommendations

If you are not using prop_open(), or you are not using PHP on Windows, no action is necessary. If you are, ensure that any arguments passed to proc_open() are filtered to prevent escape sequences that could result in command execution.

We highly recommend updating to a patched version of PHP immediately.

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations