Description
A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.
References (4)
Core 4
Core References
Exploit, Mailing List, Vendor Advisory x_refsource_misc
https://bugs.php.net/bug.php?id=73055
Patch, Third Party Advisory x_refsource_misc
https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83
Exploit, Vendor Advisory x_refsource_misc
https://bugs.php.net/bug.php?id=73055&edit=1
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html
Scores
CVSS v3
9.8
EPSS
0.0572
EPSS Percentile
90.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-704
Status
published
Products (3)
php/ext-http
2.6.0 (4 CPE variants)
php/ext-http
3.1.0 (4 CPE variants)
php/ext-http
< 2.5.6
Published
Sep 06, 2019
Tracked Since
Feb 18, 2026