CVE-2020-1899

HIGH

HHVM <4.32.3, 4.33.0-4.62.0 - Memory Corruption

Title source: llm

Description

The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.

References (2)

[Vendor Advisory] https://hhvm.com/blog/2020/06/30/security-update.html

[Patch, Third Party Advisory] https://github.com/facebook/hhvm/commit/1107228a5128d3ca1c4add8ac1635d933cbbe2e9

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0036

EPSS Percentile 58.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-119 CWE-822

Status published

Products (8)

facebook/hhvm 4.57.0

facebook/hhvm 4.58.0

facebook/hhvm 4.58.1

facebook/hhvm 4.59.0

facebook/hhvm 4.60.0

facebook/hhvm 4.61.0

facebook/hhvm 4.62.0

facebook/hhvm < 4.32.3

Published Mar 11, 2021

Tracked Since Feb 18, 2026