CVE-2018-15503

HIGH

Swoole 4.0.4 - Denial of Service via Unpack Deserialization Size Check Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-15503. PoCs published by X-C3LL.

AI-analyzed exploit summary The repository contains functional exploit code demonstrating CVE-2018-15503, a deserialization vulnerability in Swoole 4.0.4. The PoCs trigger arbitrary free and memory leak via crafted serialized data, leading to potential crashes or information disclosure.

Description

The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a SEGV.

Exploits (1)

github WORKING POC 11 stars
by X-C3LL · pythonpoc
https://github.com/X-C3LL/PoC-CVEs/tree/master/CVE-2018-15503

The repository contains functional exploit code demonstrating CVE-2018-15503, a deserialization vulnerability in Swoole 4.0.4. The PoCs trigger arbitrary free and memory leak via crafted serialized data, leading to potential crashes or information disclosure.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Swoole 4.0.4
No auth needed
Prerequisites: Swoole 4.0.4 installed · PHP environment
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://github.com/swoole/swoole-src/issues/1882
Technical Description, Third Party Advisory x_refsource_misc
https://x-c3ll.github.io/posts/swoole-deserialization-cve-2018-15503/

Scores

CVSS v3 7.5
EPSS 0.0227
EPSS Percentile 80.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-502
Status published
Products (1)
swoole/swoole 4.0.4
Published Aug 18, 2018
Tracked Since Feb 18, 2026