GHSA-X9P2-77V6-6VHF

Vulnerability from github – Published: 2026-02-05 18:02 – Updated: 2026-02-12 14:23
VLAI
Summary
FrankenPHP has delayed propagation of security fixes in upstream base images
Details

Delayed propagation of security fixes in upstream base images

Summary

Vulnerability in base Docker images (PHP, Go, and Alpine) not automatically propagating to FrankenPHP images.

FrankenPHP's container images were previously built only when specific version tags were updated or when manual triggers were initiated. This meant that if an upstream base image (such as Alpine Linux or official PHP/Go images) received a security patch under an existing tag, the FrankenPHP image would remain on the older, vulnerable version of those base layers.

Impact

Users pulling FrankenPHP images may have been running environments with known vulnerabilities in underlying system libraries (e.g., libcrypto3) even if they were using the "latest" version of a specific FrankenPHP tag.

Specifically, this includes vulnerabilities recently patched in Alpine 3.20.9, 3.21.6, 3.22.3, and 3.23.3, such as CVE-2025-15467 (Remote Code Execution in libcrypto3).

Details

The issue was a lack of automated "staleness" detection in the CI/CD pipeline.

Unless explicitly told, our build server was building new Docker images only when a new tag for base images was created. However, base images such as Alpine, PHP, and Go usually overwrite existing Docker tags to apply security fixes, which wasn't triggering a new build on our side.

Patches

As of February 4, 2026, the CI/CD pipeline has been updated.

  • Automated Detection: A daily check is now performed to compare the digest of local base images against upstream registries.
  • Auto-Rebuild: If a change is detected in base images (even if the tag name remains the same), FrankenPHP images are automatically rebuilt and re-pushed.

Users are advised to pull the latest versions of their specific tags to receive these updates.

Workarounds

You can force a local rebuild of your environment using the --pull flag to ensure you are fetching the latest patched base layers:

docker pull dunglas/frankenphp:latest
# If building your own image based on FrankenPHP
docker build --pull -t my-app .

References

Credits

Thanks to Tim Nelles for reporting and fixing this issue.

Severity
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dunglas/frankenphp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-05T18:02:25Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# Delayed propagation of security fixes in upstream base images\n\n## Summary\n\n**Vulnerability in base Docker images (PHP, Go, and Alpine) not automatically propagating to FrankenPHP images.**\n\nFrankenPHP\u0027s container images were previously built only when specific version tags were updated or when manual triggers were initiated. This meant that if an upstream base image (such as Alpine Linux or official PHP/Go images) received a security patch under an existing tag, the FrankenPHP image would remain on the older, vulnerable version of those base layers.\n\n## Impact\n\nUsers pulling FrankenPHP images may have been running environments with known vulnerabilities in underlying system libraries (e.g., `libcrypto3`) even if they were using the \"latest\" version of a specific FrankenPHP tag.\n\nSpecifically, this includes vulnerabilities recently patched in **Alpine 3.20.9, 3.21.6, 3.22.3, and 3.23.3**, such as **CVE-2025-15467** (Remote Code Execution in `libcrypto3`).\n\n## Details\n\nThe issue was a lack of automated \"staleness\" detection in the CI/CD pipeline.\n\nUnless explicitly told, our build server was building new Docker images only when a new tag for base images was created. However, base images such as Alpine, PHP, and Go usually overwrite existing Docker tags to apply security fixes, which wasn\u0027t triggering a new build on our side.\n\n## Patches\n\nAs of **February 4, 2026**, the CI/CD pipeline has been updated.\n\n* **Automated Detection:** A daily check is now performed to compare the digest of local base images against upstream registries.\n* **Auto-Rebuild:** If a change is detected in base images (even if the tag name remains the same), FrankenPHP images are automatically rebuilt and re-pushed.\n\n**Users are advised to pull the latest versions of their specific tags to receive these updates.**\n\n## Workarounds\n\nYou can force a local rebuild of your environment using the `--pull` flag to ensure you are fetching the latest patched base layers:\n\n```bash\ndocker pull dunglas/frankenphp:latest\n# If building your own image based on FrankenPHP\ndocker build --pull -t my-app .\n```\n\n## References\n\n* [Alpine Linux Security Advisories](https://www.alpinelinux.org/posts/Alpine-3.20.9-3.21.6-3.22.3-3.23.3-released.html)\n* **CVE-2025-15467** (RCE in libcrypto3)\n\n## Credits\n\nThanks to [Tim Nelles](https://timnelles.de/) for reporting and fixing this issue.",
  "id": "GHSA-x9p2-77v6-6vhf",
  "modified": "2026-02-12T14:23:09Z",
  "published": "2026-02-05T18:02:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/php/frankenphp/security/advisories/GHSA-x9p2-77v6-6vhf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/php/frankenphp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FrankenPHP has delayed propagation of security fixes in upstream base images"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.