php: Filter bypass in filter_var FILTER_VALIDATE_URL

Publication Date2024-06-07
TypeInformation Disclosure
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.28
  • 8.2.0-8.2.19
  • 8.3.0-8.3.7
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendServer 2021.3.5

CVE Details

Due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.


This bug impacts users that expect only completely valid URLs to be returned by filter_var (FILTER_VALIDATE_URL). As this function is meant to validate user supplied strings this will be exposed to raw user input often.

One course of mitigation is to switch from using filter_var() with the FILTER_VALIDATE_URL flag to instead using a 3rd-party library that performs URL validation without filter_var(). One good example is league/uri-interfaces, which can be used as follows:

use League\Uri\UriString;
use League\Uri\Exceptions\SyntaxError;

try {
} catch (SyntaxError $e) {
    // URL is invalid

Additionally, we recommend upgrading to a patched version of PHP.