BestHub
Sign in
Information Security 2 min read

Uncontrolled Recursive Decompression Vulnerability in PHP (CVE-2022-31628)

A PHP vulnerability (CVE-2022-31628) allows uncontrolled recursive decompression of specially crafted gzip files, leading to infinite loops and resource exhaustion, affecting PHP versions 7.4.31, 8.0.0‑8.0.24, and 8.1.0‑8.1.11, and can be mitigated by upgrading to patched releases.

Laravel Tech Community
Laravel Tech Community
Laravel Tech Community
Uncontrolled Recursive Decompression Vulnerability in PHP (CVE-2022-31628)

Vulnerability Description

In affected PHP versions, the phar decompressor recursively extracts "quines" gzip files, causing an infinite loop that can be exploited by an attacker to exhaust server resources.

Vulnerability Details

Vulnerability Name

PHP Uncontrolled Recursive Vulnerability

Vulnerability Type

Uncontrolled Recursion

Discovery Date

2022/9/29

Impact Scope

Medium

MPS ID

MPS-2022-12657

CVE ID

CVE-2022-31628

CNVD ID

-

Affected Versions

php@[8.0.0, 8.0.24)

php@[8.1.0, 8.1.11)

php@(-∞, 7.4.31)

Mitigation

Upgrade PHP to version 7.4.31, 8.0.24, 8.1.11, or any later release that contains the fix.

information securityPatchvulnerabilityCVE-2022-31628recursive decompression
Laravel Tech Community
Written by

Laravel Tech Community

Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment