GHSA-R3XH-3R3W-47GP

Vulnerability from github – Published: 2026-02-12 15:29 – Updated: 2026-02-12 22:07
VLAI?
Summary
FrankenPHP leaks session data between requests in worker mode
Details

Summary

When running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called.

Details

In standard PHP execution, the environment is torn down completely after every request. In FrankenPHP's worker mode, the application stays in memory, and superglobals are manually reset between requests.

The vulnerability exists because $_SESSION is stored in the Zend Engine's symbol table (EG(symbol_table)). While the standard PHP request shutdown (RSHUTDOWN) decrements the reference count of the session data, it does not remove the $_SESSION variable itself from the symbol table. FrankenPHP's reset logic (frankenphp_reset_super_globals) previously cleared other superglobals but failed to explicitly delete $_SESSION.

Consequently, until session_start() is called in the new request (which re-initializes the variable), the $_SESSION array retains the data from the previous request processed by that specific worker thread.

Impact

This is a cross-request data leakage vulnerability.

  • Confidentiality: If an application reads $_SESSION before calling session_start(), it can access sensitive information (authentication tokens, user IDs, PII) belonging to the previous user.
  • Logic Errors / Impersonation: If application logic relies on $_SESSION being empty or unset to detect a "guest" state, or checks for specific keys in $_SESSION prior to session initialization, a malicious actor (or accidental race condition) could trigger privilege escalation or user impersonation.

This affects only users running FrankenPHP in worker mode and not session_start() for each request, which is done by default by most frameworks.

PoC

The following steps demonstrate the issue (derived from the regression tests added in the fix):

  1. Client A sends a request that starts a session and sets sensitive data:
// Request 1
session_start();
$_SESSION['secret'] = 'AliceData';
session_write_close();
  1. Client B (or the same client without cookies) sends a request to the same worker. This script checks $_SESSION without starting a session:
// Request 2
// session_start() is NOT called
if (!empty($_SESSION)) {
    echo "Leaked Data: " . $_SESSION['secret'];
}
  1. Result: Client B receives "Leaked Data: AliceData".

Workarounds

  • Ensure session_start() is called immediately at the entry point of your worker script to overwrite any residual data (though this may not cover all edge cases if middleware runs before the controller).
  • Manually unset $_SESSION at the very beginning of the worker loop, before handling the request.
Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dunglas/frankenphp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-12T15:29:30Z",
    "nvd_published_at": "2026-02-12T20:16:10Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nWhen running FrankenPHP in **worker mode**, the `$_SESSION` superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the `$_SESSION` data of the previous request (potentially belonging to a different user) before `session_start()` is called.\n\n### Details\n\nIn standard PHP execution, the environment is torn down completely after every request. In FrankenPHP\u0027s worker mode, the application stays in memory, and superglobals are manually reset between requests.\n\nThe vulnerability exists because `$_SESSION` is stored in the Zend Engine\u0027s symbol table (`EG(symbol_table)`). While the standard PHP request shutdown (RSHUTDOWN) decrements the reference count of the session data, it does not remove the `$_SESSION` variable itself from the symbol table. FrankenPHP\u0027s reset logic (`frankenphp_reset_super_globals`) previously cleared other superglobals but failed to explicitly delete `$_SESSION`.\n\nConsequently, until `session_start()` is called in the new request (which re-initializes the variable), the `$_SESSION` array retains the data from the previous request processed by that specific worker thread.\n\n### Impact\n\nThis is a **cross-request data leakage** vulnerability.\n\n* **Confidentiality:** If an application reads `$_SESSION` before calling `session_start()`, it can access sensitive information (authentication tokens, user IDs, PII) belonging to the previous user.\n* **Logic Errors / Impersonation:** If application logic relies on `$_SESSION` being empty or unset to detect a \"guest\" state, or checks for specific keys in `$_SESSION` prior to session initialization, a malicious actor (or accidental race condition) could trigger privilege escalation or user impersonation.\n\nThis affects only users running FrankenPHP in **worker mode** and not `session_start()` for each request, which is done by default by most frameworks.\n\n### PoC\n\nThe following steps demonstrate the issue (derived from the regression tests added in the fix):\n\n1. **Client A** sends a request that starts a session and sets sensitive data:\n\n```php\n// Request 1\nsession_start();\n$_SESSION[\u0027secret\u0027] = \u0027AliceData\u0027;\nsession_write_close();\n```\n\n2. **Client B** (or the same client without cookies) sends a request to the same worker. This script checks `$_SESSION` *without* starting a session:\n\n```php\n// Request 2\n// session_start() is NOT called\nif (!empty($_SESSION)) {\n    echo \"Leaked Data: \" . $_SESSION[\u0027secret\u0027];\n}\n```\n\n\n3. **Result:** Client B receives \"Leaked Data: AliceData\".\n\n### Workarounds\n\n* Ensure `session_start()` is called immediately at the entry point of your worker script to overwrite any residual data (though this may not cover all edge cases if middleware runs before the controller).\n* Manually unset `$_SESSION` at the very beginning of the worker loop, before handling the request.",
  "id": "GHSA-r3xh-3r3w-47gp",
  "modified": "2026-02-12T22:07:50Z",
  "published": "2026-02-12T15:29:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24894"
    },
    {
      "type": "WEB",
      "url": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/php/frankenphp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FrankenPHP leaks session data between requests in worker mode"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.