Description
Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.
References (2)
Core 2
Core References
Patch x_refsource_confirm
https://github.com/facebook/hhvm/commit/b3679121bb3c7017ff04b4c08402ffff5cf59b13
Vendor Advisory x_refsource_confirm
https://hhvm.com/blog/2020/02/20/security-update.html
Scores
CVSS v3
7.5
EPSS
0.0061
EPSS Percentile
69.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-125
Status
published
Products (8)
facebook/hhvm
4.39.0
facebook/hhvm
4.40.0
facebook/hhvm
4.41.0
facebook/hhvm
4.42.0
facebook/hhvm
4.43.0
facebook/hhvm
4.44.0
facebook/hhvm
4.45.0
facebook/hhvm
< 4.8.7
Published
Mar 03, 2020
Tracked Since
Feb 18, 2026