CVE-2018-6334

CRITICAL

HHVM <3.25.1-3.21.9 - Info Disclosure

Title source: llm

Description

Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html

Scores

CVSS v3 9.8

EPSS 0.0063

EPSS Percentile 70.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-621 CWE-20

Status published

Products (1)

facebook/hhvm < 3.21.9

Published Dec 31, 2018

Tracked Since Feb 18, 2026