Uncontrolled Recursive Decompression Vulnerability in PHP (CVE-2022-31628)
A PHP vulnerability (CVE-2022-31628) allows uncontrolled recursive decompression of specially crafted gzip files, leading to infinite loops and resource exhaustion, affecting PHP versions 7.4.31, 8.0.0‑8.0.24, and 8.1.0‑8.1.11, and can be mitigated by upgrading to patched releases.
Vulnerability Description
In affected PHP versions, the phar decompressor recursively extracts "quines" gzip files, causing an infinite loop that can be exploited by an attacker to exhaust server resources.
Vulnerability Details
Vulnerability Name
PHP Uncontrolled Recursive Vulnerability
Vulnerability Type
Uncontrolled Recursion
Discovery Date
2022/9/29
Impact Scope
Medium
MPS ID
MPS-2022-12657
CVE ID
CVE-2022-31628
CNVD ID
-
Affected Versions
php@[8.0.0, 8.0.24)
php@[8.1.0, 8.1.11)
php@(-∞, 7.4.31)
Mitigation
Upgrade PHP to version 7.4.31, 8.0.24, 8.1.11, or any later release that contains the fix.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.