What Critical Vulnerabilities Were Fixed in PHP 8.4.6? Inside the Core Security Audit

The PHP Foundation announced the results of a security audit of the most critical parts of the PHP source code (php‑src), the interpreter itself, and disclosed several high‑severity issues that were fixed in the newly released version 8.4.6.

Due to a flaw in the data‑parsing logic, PHP logs can be tampered when using syslog, allowing insertion or deletion of up to four characters or more (CVE‑2024‑9026).

An error handling multipart form submissions may cause data to be misinterpreted (CVE‑2024‑8925).

A memory issue in PHP’s filter handling can lead to segmentation faults (CVE‑2024‑8928).

A bug in the MySQL driver may leak data from the previous query (CVE‑2024‑8929).

The report was produced by Quarkslab SAS, organized by the Open Source Technology Improvement Fund and funded by a German sovereign technology agency. Because of budget constraints, only the “most critical components” of the source code were audited.

Critical components examined include PHP‑FPM (FastCGI Process Manager), the MySQL database driver, HTTP parsing and MIME attachment handling, JSON parsing, as well as cryptographic functions such as OpenSSL, password handling, hashing, and random number generation.

Quarkslab researchers concluded that most discovered vulnerabilities require pre‑conditions that are hard to obtain or rarely encountered in production, indicating an overall good security standard; they also praised the overall quality of the code and specifications.

The audit is not comprehensive, as it focused only on the most critical components under a tight schedule; functions such as parse_url, parse_str, streams, and xp_ssl were not examined despite handling external data.

PHP, a long‑standing interpreted language, powers a large share of web applications—according to W3Techs, 74.3% of websites run PHP, largely thanks to WordPress and other PHP‑based CMS frameworks.

Its relative ease of use and a mature ecosystem have led developers to describe it as “battle‑tested” and “stable,” a sentiment echoed by a developer on Hacker News.

Some commentators note that simple PHP applications perform well compared to “slow, JS‑heavy” sites, a factor contributing to renewed interest in frameworks like Ruby on Rails.

Author: 洛逸 Related link: https://github.com/php/php-src