CVE-2009-4418
PHP < 5.3.0 - Denial of Service via Deeply Nested Unserialize
Title source: llmDescription
The unserialize function in PHP 5.3.0 and earlier allows context-dependent attackers to cause a denial of service (resource consumption) via a deeply nested serialized variable, as demonstrated by a string beginning with a:1: followed by many {a:1: sequences.
References (2)
Core 2
Core References
Various Sources x_refsource_misc
http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
Various Sources x_refsource_misc
http://www.suspekt.org/2009/11/28/shocking-news-in-php-exploitation/
Scores
EPSS
0.0040
EPSS Percentile
60.7%
Details
CWE
CWE-189
Status
published
Products (28)
php/php
5
php/php
5.0 rc1 (3 CPE variants)
php/php
5.0.0 (8 CPE variants)
php/php
5.0.1
php/php
5.0.2
php/php
5.0.3
php/php
5.0.4
php/php
5.0.5
php/php
5.1.0
php/php
5.1.1
... and 18 more
Published
Dec 24, 2009
Tracked Since
Feb 18, 2026