GHSA-VXRR-W42W-W76G

Vulnerability from github – Published: 2026-05-06 21:38 – Updated: 2026-05-14 20:40
VLAI
Summary
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass
Details

Summary

Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin.

Affected code

flight/net/Request.php (≈ lines 281-292):

public static function getMethod(): string
{
    $method = self::getVar('REQUEST_METHOD', 'GET');
    if (self::getVar('HTTP_X_HTTP_METHOD_OVERRIDE') !== '') {
        $method = self::getVar('HTTP_X_HTTP_METHOD_OVERRIDE');
    } elseif (isset($_REQUEST['_method']) === true) {
        $method = $_REQUEST['_method'];
    }
    return strtoupper($method);
}

$_REQUEST aggregates $_GET and $_POST; on PHP runtimes with request_order=GPC it also includes $_COOKIE.

Proof of concept

GET /item/42?_method=DELETE        HTTP/1.1

is dispatched as DELETE /item/42.

GET /item/42                       HTTP/1.1
X-HTTP-Method-Override: DELETE

is also dispatched as DELETE /item/42.

Trivial CSRF vector (no JavaScript required):

<img src="https://victim.tld/item/42?_method=DELETE">

loaded on any attacker-controlled page triggers the destructive DELETE on page load, bypassing Same-Origin Policy (image loads are not blocked).

Reproduced against /poc4/item/42.

Impact

  • GET → DELETE / PUT CSRF on any route registered for unsafe verbs.
  • Bypass of authentication, CSRF token, or rate-limiting middleware that is gated only on POST/DELETE.
  • CDN cache poisoning: the CDN caches the GET response body while the origin executed a DELETE.

Patch (fixed in 3.18.1, commit b8dd23a)

A new flight.allow_method_override setting controls both override vectors. Operators can set it to false to disable X-HTTP-Method-Override and _method entirely.

Credit

Discovered by @Rootingg.

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "flightphp/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:38:16Z",
    "nvd_published_at": "2026-05-13T20:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`Request::getMethod()` unconditionally honors the `X-HTTP-Method-Override` header and the `$_REQUEST[\u0027_method\u0027]` parameter on **any** HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin.\n\n### Affected code\n`flight/net/Request.php` (\u2248 lines 281-292):\n\n```php\npublic static function getMethod(): string\n{\n    $method = self::getVar(\u0027REQUEST_METHOD\u0027, \u0027GET\u0027);\n    if (self::getVar(\u0027HTTP_X_HTTP_METHOD_OVERRIDE\u0027) !== \u0027\u0027) {\n        $method = self::getVar(\u0027HTTP_X_HTTP_METHOD_OVERRIDE\u0027);\n    } elseif (isset($_REQUEST[\u0027_method\u0027]) === true) {\n        $method = $_REQUEST[\u0027_method\u0027];\n    }\n    return strtoupper($method);\n}\n```\n\n`$_REQUEST` aggregates `$_GET` and `$_POST`; on PHP runtimes with `request_order=GPC` it also includes `$_COOKIE`.\n\n### Proof of concept\n```\nGET /item/42?_method=DELETE        HTTP/1.1\n```\nis dispatched as `DELETE /item/42`.\n\n```\nGET /item/42                       HTTP/1.1\nX-HTTP-Method-Override: DELETE\n```\nis also dispatched as `DELETE /item/42`.\n\nTrivial CSRF vector (no JavaScript required):\n```html\n\u003cimg src=\"https://victim.tld/item/42?_method=DELETE\"\u003e\n```\nloaded on any attacker-controlled page triggers the destructive DELETE on page load, bypassing Same-Origin Policy (image loads are not blocked).\n\nReproduced against `/poc4/item/42`.\n\n### Impact\n- GET \u2192 DELETE / PUT CSRF on any route registered for unsafe verbs.\n- Bypass of authentication, CSRF token, or rate-limiting middleware that is gated only on POST/DELETE.\n- CDN cache poisoning: the CDN caches the GET response body while the origin executed a DELETE.\n\n### Patch (fixed in `3.18.1`, commit `b8dd23a`)\nA new `flight.allow_method_override` setting controls both override vectors. Operators can set it to `false` to disable `X-HTTP-Method-Override` and `_method` entirely.\n\n### Credit\nDiscovered by **@Rootingg**.",
  "id": "GHSA-vxrr-w42w-w76g",
  "modified": "2026-05-14T20:40:04Z",
  "published": "2026-05-06T21:38:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42551"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flightphp/core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/releases/tag/v3.18.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.