php: Arguments execute arbitrary commands in Windows shell

Publication Date2024-06-07
TypeRemote Code Execution
Affected PHP Versions
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.28
  • 8.2.0-8.2.19
  • 8.3.0-8.3.7
Fixed Product Versions
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendServer 2021.3.5

CVE Details

The fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.


For Windows users, we recommend updating to a patched version of PHP.