Platform
php
Component
php
Fixed in
7.2.26
7.3.13
7.4.1
CVE-2019-11044 is a path traversal vulnerability affecting PHP versions 7.2.x prior to 7.2.26, 7.3.x prior to 7.3.13, and 7.4.0 specifically on Windows systems. This flaw arises from the link() function's improper handling of embedded null bytes (\0) within filenames. Consequently, an attacker could potentially bypass file access controls and read arbitrary files on the system.
The vulnerability allows an attacker to potentially read arbitrary files on the server by crafting filenames containing embedded null bytes. The link() function, intended for creating symbolic links, incorrectly interprets these null bytes as the end of the filename, allowing the attacker to specify paths beyond the intended directory. This could lead to sensitive information disclosure, such as configuration files, source code, or even system files, depending on the application's file access logic. While the CVSS score is LOW, the potential for sensitive data exposure makes this a significant concern, particularly in environments where file access controls are not strictly enforced.
CVE-2019-11044 was publicly disclosed on December 23, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept exploits have been widely reported. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively limited impact and difficulty of exploitation.
Exploit Status
EPSS
8.02% (92% percentile)
CVSS Vector
The primary mitigation for CVE-2019-11044 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.1 or later. If immediate upgrading is not feasible, consider implementing stricter input validation on filenames used in file operations within your PHP applications. Sanitize user-supplied filenames to remove or escape null bytes before passing them to the link() function. Web Application Firewalls (WAFs) configured to detect path traversal attempts could also provide a temporary layer of defense. After upgrading, confirm the fix by attempting to create a symbolic link with a filename containing a null byte; the operation should fail with an appropriate error.
Update to PHP version 7.2.26, 7.3.13 or 7.4.1, or a later version. This corrects the vulnerability that allows filename truncation after a null byte in the link() function on Windows.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-11044 is a path traversal vulnerability in PHP 7.2.0–7.4.1 on Windows where the link() function mishandles null bytes in filenames, allowing attackers to potentially read arbitrary files.
If you are running PHP 7.2.x before 7.2.26, 7.3.x before 7.3.13, or 7.4.0 on a Windows system, you are potentially affected by this vulnerability.
Upgrade to PHP 7.4.1 or later to resolve the vulnerability. As a temporary measure, implement stricter input validation on filenames.
There is currently no evidence of active exploitation campaigns targeting CVE-2019-11044.
Refer to the PHP security advisory: https://security.php.net/CVE-2019-11044
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.