GHSA-QRCH-52M5-VV85

Vulnerability from github – Published: 2026-05-06 21:39 – Updated: 2026-05-14 20:42
VLAI
Summary
Flight vulnerable to sensitive information disclosure via default error handler
Details

Summary

The default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal).

Affected code

flight/Engine.php (≈ lines 678-704):

public function _error(Throwable $e): void
{
    ...
    $msg = sprintf(<<<'HTML'
        <h1>500 Internal Server Error</h1>
            <h3>%s (%s)</h3>
            <pre>%s</pre>
        HTML,
        $e->getMessage(),
        $e->getCode(),
        $e->getTraceAsString()
    );
    $this->response()->cache(0)->clearBody()->status(500)->write($msg)->send();
}

No flight.debug check, no environment gating.

Proof of concept

Any uncaught exception — including those auto-raised from handleError() — returns:

HTTP/1.1 500 Internal Server Error

<h1>500 Internal Server Error</h1>
  <h3>secret path /var/www/config/db.yml; token=LEAKED123 (0)</h3>
  <pre>#0 [internal function]: {closure}()
  #1 /home/user/app/vendor/flightphp/core/flight/core/Dispatcher.php(361)...
  #2 /home/user/app/vendor/flightphp/core/flight/Engine.php(...)
  ...
  </pre>

Reproduced against the live PoC app at /poc5/error.

Impact

  • Disclosure of absolute filesystem paths (primes weaponization of LFI / path-traversal vulnerabilities in the same application).
  • Disclosure of secrets (DB credentials, API tokens) when exceptions are constructed with interpolated configuration values.
  • Enumeration of installed vendor packages and internal application structure.

Patch (fixed in 3.18.1, commit b8dd23a)

A new flight.debug setting (default false) gates the verbose output. In production the handler now emits only <h1>500 Internal Server Error</h1>. Developers can set flight.debug = true in local environments to restore the full trace output.

Credit

Discovered by @Rootingg.

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "flightphp/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42552"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:39:07Z",
    "nvd_published_at": "2026-05-13T20:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe default error handler `Engine::_error()` writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure \u2014 giving attackers primitives for chaining other weaknesses (LFI, path traversal).\n\n### Affected code\n`flight/Engine.php` (\u2248 lines 678-704):\n\n```php\npublic function _error(Throwable $e): void\n{\n    ...\n    $msg = sprintf(\u003c\u003c\u003c\u0027HTML\u0027\n        \u003ch1\u003e500 Internal Server Error\u003c/h1\u003e\n            \u003ch3\u003e%s (%s)\u003c/h3\u003e\n            \u003cpre\u003e%s\u003c/pre\u003e\n        HTML,\n        $e-\u003egetMessage(),\n        $e-\u003egetCode(),\n        $e-\u003egetTraceAsString()\n    );\n    $this-\u003eresponse()-\u003ecache(0)-\u003eclearBody()-\u003estatus(500)-\u003ewrite($msg)-\u003esend();\n}\n```\n\nNo `flight.debug` check, no environment gating.\n\n### Proof of concept\nAny uncaught exception \u2014 including those auto-raised from `handleError()` \u2014 returns:\n\n```\nHTTP/1.1 500 Internal Server Error\n\n\u003ch1\u003e500 Internal Server Error\u003c/h1\u003e\n  \u003ch3\u003esecret path /var/www/config/db.yml; token=LEAKED123 (0)\u003c/h3\u003e\n  \u003cpre\u003e#0 [internal function]: {closure}()\n  #1 /home/user/app/vendor/flightphp/core/flight/core/Dispatcher.php(361)...\n  #2 /home/user/app/vendor/flightphp/core/flight/Engine.php(...)\n  ...\n  \u003c/pre\u003e\n```\n\nReproduced against the live PoC app at `/poc5/error`.\n\n### Impact\n- Disclosure of absolute filesystem paths (primes weaponization of LFI / path-traversal vulnerabilities in the same application).\n- Disclosure of secrets (DB credentials, API tokens) when exceptions are constructed with interpolated configuration values.\n- Enumeration of installed vendor packages and internal application structure.\n\n### Patch (fixed in `3.18.1`, commit `b8dd23a`)\nA new `flight.debug` setting (default `false`) gates the verbose output. In production the handler now emits only `\u003ch1\u003e500 Internal Server Error\u003c/h1\u003e`. Developers can set `flight.debug = true` in local environments to restore the full trace output.\n\n### Credit\nDiscovered by **@Rootingg**.",
  "id": "GHSA-qrch-52m5-vv85",
  "modified": "2026-05-14T20:42:12Z",
  "published": "2026-05-06T21:39:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42552"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flightphp/core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/releases/tag/v3.18.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flight vulnerable to sensitive information disclosure via default error handler"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.