CVE-2020-1893

HIGH

HHVM < 4.8.7 - Denial of Service via JSON Decoding Out-of-Bounds Read

Title source: llm

Description

Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://hhvm.com/blog/2020/02/20/security-update.html

Patch x_refsource_confirm

https://github.com/facebook/hhvm/commit/bd586671a3c22eb2f07e55f11b3ce64e1f7961e7

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0115

EPSS Percentile 62.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-125

Status published

Products (8)

facebook/hhvm 4.39.0

facebook/hhvm 4.40.0

facebook/hhvm 4.41.0

facebook/hhvm 4.42.0

facebook/hhvm 4.43.0

facebook/hhvm 4.44.0

facebook/hhvm 4.45.0

facebook/hhvm < 4.8.7

Published Mar 03, 2020

Tracked Since Feb 18, 2026