CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4801 vulnerabilities reference this CWE, most recent first.
GHSA-86JP-P2QR-PC2R
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2023-02-03 21:30IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.
{
"affected": [],
"aliases": [
"CVE-2019-4279"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-17T16:29:00Z",
"severity": "CRITICAL"
},
"details": "IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.",
"id": "GHSA-86jp-p2qr-pc2r",
"modified": "2023-02-03T21:30:28Z",
"published": "2022-05-24T16:46:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4279"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/160445"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10883628"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108450"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-86Q3-WGX4-QVJC
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device.
{
"affected": [],
"aliases": [
"CVE-2021-1413"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-08T04:15:00Z",
"severity": "MODERATE"
},
"details": "Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device.",
"id": "GHSA-86q3-wgx4-qvjc",
"modified": "2022-05-24T17:46:52Z",
"published": "2022-05-24T17:46:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1413"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv34x-rce-8bfG2h6b"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-558"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-86QR-9VQC-PGC6
Vulnerability from github – Published: 2020-08-05 14:53 – Updated: 2021-10-21 20:51Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.integration:spring-integration-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.integration:spring-integration-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.integration:spring-integration-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.integration:spring-integration-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5413"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-03T21:06:31Z",
"nvd_published_at": "2020-07-31T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the \"deserialization gadgets\" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown \"deserialization gadgets\" when configuring Kryo in code.",
"id": "GHSA-86qr-9vqc-pgc6",
"modified": "2021-10-21T20:51:16Z",
"published": "2020-08-05T14:53:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5413"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-integration/commit/6a02b5abe97fabab6003d51b98dd45ab009a6e05"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-integration"
},
{
"type": "WEB",
"url": "https://tanzu.vmware.com/security/cve-2020-5413"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Code execution in Spring Integration"
}
GHSA-86R3-4GQ8-XW8Q
Vulnerability from github – Published: 2022-04-09 00:00 – Updated: 2022-08-22 16:34Withdrawn
This advisory has been withdrawn because it is not a security issue and the CVE has been revoked.
Original Description
A Remote Code Execution (RCE) vulnerability exists in h laravel 5.8.38 via an unserialize pop chain in (1) __destruct in \Routing\PendingResourceRegistration.php, (2) __cal in Queue\Capsule\Manager.php, and (3) __invoke in mockery\library\Mockery\ClosureWrapper.php.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/laravel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.8.38"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43503"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-12T20:32:12Z",
"nvd_published_at": "2022-04-08T18:15:00Z",
"severity": "CRITICAL"
},
"details": "## Withdrawn\nThis advisory has been withdrawn because it is not a security issue and the CVE has been revoked.\n\n## Original Description\nA Remote Code Execution (RCE) vulnerability exists in h laravel 5.8.38 via an unserialize pop chain in (1) __destruct in \\Routing\\PendingResourceRegistration.php, (2) __cal in Queue\\Capsule\\Manager.php, and (3) __invoke in mockery\\library\\Mockery\\ClosureWrapper.php.",
"id": "GHSA-86r3-4gq8-xw8q",
"modified": "2022-08-22T16:34:29Z",
"published": "2022-04-09T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43503"
},
{
"type": "WEB",
"url": "https://github.com/1nhann/vulns/issues/1#issuecomment-1213126338"
},
{
"type": "WEB",
"url": "https://github.com/guoyanan1g/Laravel-vul/issues/2#issue-1045655892"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Remote Code Execution in Laravel",
"withdrawn": "2022-08-22T16:34:29Z"
}
GHSA-86RX-VP92-XVGG
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2025-06-09 18:31A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
{
"affected": [],
"aliases": [
"CVE-2018-15686"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-26T14:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.",
"id": "GHSA-86rx-vp92-xvgg",
"modified": "2025-06-09T18:31:57Z",
"published": "2022-05-13T01:04:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15686"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/pull/10519"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2091"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3222"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0593"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201810-10"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3816-1"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45714"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105747"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8727-M6GJ-MC37
Vulnerability from github – Published: 2020-05-26 15:09 – Updated: 2023-09-25 16:55There is a strong parameters bypass vector in ActionPack.
Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
In some cases user supplied information can be inadvertently leaked from
Strong Parameters. Specifically the return value of each, or each_value,
or each_pair will return the underlying "untrusted" hash of data that was
read from the parameters. Applications that use this return value may be
inadvertently use untrusted user input.
Impacted code will look something like this:
def update
# Attacker has included the parameter: `{ is_admin: true }`
User.update(clean_up_params)
end
def clean_up_params
params.each { |k, v| SomeModel.check(v) if k == :name }
end
Note the mistaken use of each in the clean_up_params method in the above
example.
Workarounds
Do not use the return values of each, each_value, or each_pair in your
application.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.4.2"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.3"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8164"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2020-05-26T15:06:53Z",
"nvd_published_at": "2020-06-19T17:15:00Z",
"severity": "HIGH"
},
"details": "There is a strong parameters bypass vector in ActionPack.\n\nVersions Affected: rails \u003c= 6.0.3\nNot affected: rails \u003c 5.0.0\nFixed Versions: rails \u003e= 5.2.4.3, rails \u003e= 6.0.3.1\n\nImpact\n------\nIn some cases user supplied information can be inadvertently leaked from\nStrong Parameters. Specifically the return value of `each`, or `each_value`,\nor `each_pair` will return the underlying \"untrusted\" hash of data that was\nread from the parameters. Applications that use this return value may be\ninadvertently use untrusted user input.\n\nImpacted code will look something like this:\n\n```\ndef update\n # Attacker has included the parameter: `{ is_admin: true }`\n User.update(clean_up_params)\nend\n\ndef clean_up_params\n params.each { |k, v| SomeModel.check(v) if k == :name }\nend\n```\n\nNote the mistaken use of `each` in the `clean_up_params` method in the above\nexample.\n\nWorkarounds\n-----------\nDo not use the return values of `each`, `each_value`, or `each_pair` in your\napplication.",
"id": "GHSA-8727-m6gj-mc37",
"modified": "2023-09-25T16:55:14Z",
"published": "2020-05-26T15:09:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8164"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/292797"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4766"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Possible Strong Parameters Bypass in ActionPack"
}
GHSA-87M4-826X-3CRX
Vulnerability from github – Published: 2026-06-08 23:00 – Updated: 2026-06-08 23:00Summary
CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parse_url($filename, PHP_URL_SCHEME) and then checks is_string($scheme) && strlen($scheme) > 1 to reject stream wrappers such as phar://, php://, data:// or expect://. The check is not equivalent to "does the path contain a wrapper". When the input has the form phar:///path/file.phar/inner with three or more slashes after the scheme, parse_url returns boolean false instead of returning the scheme string. The is_string($scheme) branch is therefore skipped, the helper returns without throwing, and the caller proceeds. PHP's stream layer, however, still treats phar:///... as a valid phar wrapper and opens the underlying phar file. The result is that IOFactory::load($attackerPath) walks past the patch and still touches the phar wrapper. On PHP 7.x, simply reaching the phar wrapper via is_file is enough for PHP to automatically deserialize the phar metadata, which in turn invokes the magic methods __wakeup and __destruct of an attacker controlled object and gives full RCE. On PHP 8.x, automatic metadata deserialization for plain file ops was removed, so the chain at the PhpSpreadsheet layer reduces to a phar wrapper file read primitive, and RCE only resurfaces if the downstream consumer ever calls Phar::getMetadata.
Vulnerable code
The file vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Shared/File.php is byte identical across all six latest tags listed below:
public static function prohibitWrappers(string $filename): void
{
$scheme = parse_url($filename, PHP_URL_SCHEME);
if (is_string($scheme) && strlen($scheme) > 1) {
throw new Exception("Stream wrappers are not permitted as file paths: {$filename}");
}
}
For input phar://x/dummy.csv the call returns the string "phar" and the throw fires correctly. For input phar:///work/exploit.phar/dummy.csv the same call returns false and the throw is skipped, which is the bypass.
Confirmed affected versions
Tested on 2026-05-03. The prohibitWrappers source on disk is identical across all six tags.
| Branch | Latest tag | PHP under test | Result |
|---|---|---|---|
| 1.x | 1.30.4 | 7.4 | bypass plus full RCE, gadget wrote marker file |
| 2.1.x | 2.1.16 | 8.3 | bypass |
| 2.4.x | 2.4.5 | 8.3 | bypass |
| 3.10.x | 3.10.5 | 8.3 | bypass |
| 5.6.x | 5.6.0 | 8.3 | bypass |
| 5.7.x | 5.7.0 | 8.3 | bypass |
Version 1.30.4 is the latest tag of the 1.x branch, which is the only branch that still supports PHP 7.x. Version 5.7.0 is the latest tag overall on Packagist at the time of testing.
No branch beyond 1.30.x allows any release before Php 8. For branches beyond 1.30.x, although the code identified above is in error, and will be corrected, it does not lead to any security exposure. That would require a Phar::getMetadata call, which is not present in PhpSpreadsheet. If possible and reasonable, the release notes for the fix on the other branches will include release-note: security.
Reproduction
Requires Docker only, no local PHP install. Run:
bash run.sh
The script does the following in order: build exploit.phar using php:7.4-cli with phar.readonly=0, install phpoffice/phpspreadsheet:5.7.0 through composer and run exploit.php on php:8.3-cli to show that the bypass still works against the latest tag, then install 1.30.4 and run again on php:7.4-cli to show the full RCE chain. All output is teed to evidence.txt.
exploit.php ships two controls. The negative control uses phar://x/dummy.csv to confirm that the patch still rejects the standard wrapper form. The positive control uses phar:///work/exploit.phar/dummy.csv to show that the three slash variant slips through. On PHP 7.4 the gadget writes the file pwned_marker containing the lines WAKEUP: phpspreadsheet-bypass and DESTRUCT: phpspreadsheet-bypass, which is the proof that attacker controlled code ran inside the victim process.
Suggested fix
Do not rely on parse_url to detect wrappers, because its behavior depends on the slash count and on the PHP version. Either of these is safe:
public static function prohibitWrappers(string $filename): void
{
if (str_contains($filename, '://')) {
throw new Exception("Stream wrappers are not permitted as file paths: {$filename}");
}
}
Alternatively, run the path through realpath() first, since realpath returns false for any wrapper prefixed path.
Files in this report
- build-phar.php: builds
exploit.pharwith a gadget object in its metadata. - exploit.php: main PoC, with the negative and positive controls.
- exploit.phar: prebuilt phar, the gadget writes a marker when deserialized.
- composer.json: spec used by composer to install the version under test.
- run.sh: end to end reproducer through Docker.
- evidence.txt: log captured from the most recent
run.shinvocation.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.30.4"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.30.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45034"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-08T23:00:14Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nCVE-2026-34084 was patched by the helper `File::prohibitWrappers`. The helper calls `parse_url($filename, PHP_URL_SCHEME)` and then checks `is_string($scheme) \u0026\u0026 strlen($scheme) \u003e 1` to reject stream wrappers such as `phar://`, `php://`, `data://` or `expect://`. The check is not equivalent to \"does the path contain a wrapper\". When the input has the form `phar:///path/file.phar/inner` with three or more slashes after the scheme, `parse_url` returns boolean `false` instead of returning the scheme string. The `is_string($scheme)` branch is therefore skipped, the helper returns without throwing, and the caller proceeds. PHP\u0027s stream layer, however, still treats `phar:///...` as a valid phar wrapper and opens the underlying phar file. The result is that `IOFactory::load($attackerPath)` walks past the patch and still touches the phar wrapper. On PHP 7.x, simply reaching the phar wrapper via `is_file` is enough for PHP to automatically deserialize the phar metadata, which in turn invokes the magic methods `__wakeup` and `__destruct` of an attacker controlled object and gives full RCE. On PHP 8.x, automatic metadata deserialization for plain file ops was removed, so the chain at the PhpSpreadsheet layer reduces to a phar wrapper file read primitive, and RCE only resurfaces if the downstream consumer ever calls `Phar::getMetadata`.\n\n## Vulnerable code\n\nThe file `vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Shared/File.php` is byte identical across all six latest tags listed below:\n\n```php\npublic static function prohibitWrappers(string $filename): void\n{\n $scheme = parse_url($filename, PHP_URL_SCHEME);\n if (is_string($scheme) \u0026\u0026 strlen($scheme) \u003e 1) {\n throw new Exception(\"Stream wrappers are not permitted as file paths: {$filename}\");\n }\n}\n```\n\nFor input `phar://x/dummy.csv` the call returns the string `\"phar\"` and the throw fires correctly. For input `phar:///work/exploit.phar/dummy.csv` the same call returns `false` and the throw is skipped, which is the bypass.\n\n## Confirmed affected versions\n\nTested on 2026-05-03. The `prohibitWrappers` source on disk is identical across all six tags.\n\n| Branch | Latest tag | PHP under test | Result |\n|---|---|---|---|\n| 1.x | 1.30.4 | 7.4 | bypass plus full RCE, gadget wrote marker file |\n| 2.1.x | 2.1.16 | 8.3 | bypass |\n| 2.4.x | 2.4.5 | 8.3 | bypass |\n| 3.10.x | 3.10.5 | 8.3 | bypass |\n| 5.6.x | 5.6.0 | 8.3 | bypass |\n| 5.7.x | 5.7.0 | 8.3 | bypass |\n\nVersion 1.30.4 is the latest tag of the 1.x branch, which is the only branch that still supports PHP 7.x. Version 5.7.0 is the latest tag overall on Packagist at the time of testing.\n\nNo branch beyond 1.30.x allows any release before Php 8. For branches beyond 1.30.x, although the code identified above is in error, and will be corrected, it does not lead to any security exposure. That would require a `Phar::getMetadata` call, which is not present in PhpSpreadsheet. If possible and reasonable, the release notes for the fix on the other branches will include `release-note: security`.\n\n## Reproduction\n\nRequires Docker only, no local PHP install. Run:\n\n```sh\nbash run.sh\n```\n\nThe script does the following in order: build `exploit.phar` using `php:7.4-cli` with `phar.readonly=0`, install `phpoffice/phpspreadsheet:5.7.0` through composer and run `exploit.php` on `php:8.3-cli` to show that the bypass still works against the latest tag, then install `1.30.4` and run again on `php:7.4-cli` to show the full RCE chain. All output is teed to `evidence.txt`.\n\n`exploit.php` ships two controls. The negative control uses `phar://x/dummy.csv` to confirm that the patch still rejects the standard wrapper form. The positive control uses `phar:///work/exploit.phar/dummy.csv` to show that the three slash variant slips through. On PHP 7.4 the gadget writes the file `pwned_marker` containing the lines `WAKEUP: phpspreadsheet-bypass` and `DESTRUCT: phpspreadsheet-bypass`, which is the proof that attacker controlled code ran inside the victim process.\n\n## Suggested fix\n\nDo not rely on `parse_url` to detect wrappers, because its behavior depends on the slash count and on the PHP version. Either of these is safe:\n\n```php\npublic static function prohibitWrappers(string $filename): void\n{\n if (str_contains($filename, \u0027://\u0027)) {\n throw new Exception(\"Stream wrappers are not permitted as file paths: {$filename}\");\n }\n}\n```\n\nAlternatively, run the path through `realpath()` first, since `realpath` returns `false` for any wrapper prefixed path.\n\n## Files in this report\n- [build-phar.php](https://github.com/user-attachments/files/27317345/build-phar.php): builds `exploit.phar` with a gadget object in its metadata.\n- [exploit.php](https://github.com/user-attachments/files/27317343/exploit.php): main PoC, with the negative and positive controls.\n- [exploit.phar](https://github.com/user-attachments/files/27317356/exploit.phar.txt): prebuilt phar, the gadget writes a marker when deserialized.\n- [composer.json](https://github.com/user-attachments/files/27317341/composer.json): spec used by composer to install the version under test.\n- [run.sh](https://github.com/user-attachments/files/27317342/run.sh): end to end reproducer through Docker.\n- [evidence.txt](https://github.com/user-attachments/files/27317339/evidence.txt): log captured from the most recent `run.sh` invocation.",
"id": "GHSA-87m4-826x-3crx",
"modified": "2026-06-08T23:00:14Z",
"published": "2026-06-08T23:00:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-87m4-826x-3crx"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-q4q6-r8wh-5cgh"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PHPSpreadsheet has a patch bypass for CVE-2026-34084 "
}
GHSA-87MW-775V-8CMR
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30Inductive Automation Ignition AbstractGatewayFunction Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.
The specific flaw exists within the AbstractGatewayFunction class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17587.
{
"affected": [],
"aliases": [
"CVE-2023-39473"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:13Z",
"severity": "HIGH"
},
"details": "Inductive Automation Ignition AbstractGatewayFunction Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the AbstractGatewayFunction class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17587.",
"id": "GHSA-87mw-775v-8cmr",
"modified": "2024-05-03T03:30:56Z",
"published": "2024-05-03T03:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39473"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1045"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-87Q2-RR35-R6C9
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2025-10-22 00:31A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges.
{
"affected": [],
"aliases": [
"CVE-2019-15271"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-26T03:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges.",
"id": "GHSA-87q2-rr35-r6c9",
"modified": "2025-10-22T00:31:48Z",
"published": "2022-05-24T17:02:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15271"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-15271"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-882J-M7WV-38P6
Vulnerability from github – Published: 2022-05-14 01:06 – Updated: 2025-10-22 00:31Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
{
"affected": [],
"aliases": [
"CVE-2018-2628"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-19T02:29:00Z",
"severity": "CRITICAL"
},
"details": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"id": "GHSA-882j-m7wv-38p6",
"modified": "2025-10-22T00:31:35Z",
"published": "2022-05-14T01:06:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2628"
},
{
"type": "WEB",
"url": "https://github.com/brianwrf/CVE-2018-2628"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-2628"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44553"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45193"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46513"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103776"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040696"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.