Description
Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://hhvm.com/blog/2020/02/20/security-update.html
Patch x_refsource_confirm
https://github.com/facebook/hhvm/commit/bd586671a3c22eb2f07e55f11b3ce64e1f7961e7
Scores
CVSS v3
7.5
EPSS
0.0061
EPSS Percentile
69.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-125
Status
published
Products (8)
facebook/hhvm
4.39.0
facebook/hhvm
4.40.0
facebook/hhvm
4.41.0
facebook/hhvm
4.42.0
facebook/hhvm
4.43.0
facebook/hhvm
4.44.0
facebook/hhvm
4.45.0
facebook/hhvm
< 4.8.7
Published
Mar 03, 2020
Tracked Since
Feb 18, 2026