Description
Insufficient boundary checks when decoding JSON in JSON_parser allows read access to out of bounds memory, potentially leading to information leak and DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://hhvm.com/blog/2020/02/20/security-update.html
Patch x_refsource_confirm
https://github.com/facebook/hhvm/commit/dabd48caf74995e605f1700344f1ff4a5d83441d
Scores
CVSS v3
8.1
EPSS
0.0109
EPSS Percentile
61.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Details
CWE
CWE-125
Status
published
Products (8)
facebook/hhvm
4.39.0
facebook/hhvm
4.40.0
facebook/hhvm
4.41.0
facebook/hhvm
4.42.0
facebook/hhvm
4.43.0
facebook/hhvm
4.44.0
facebook/hhvm
4.45.0
facebook/hhvm
< 4.8.7
Published
Mar 03, 2020
Tracked Since
Feb 18, 2026