Platform
php
Component
php
Fixed in
7.2.31
7.3.18
7.4.6
CVE-2019-11048 is a vulnerability affecting PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18, and 7.4.x below 7.4.6. When HTTP file uploads are enabled, attackers can exploit this flaw by providing excessively long filenames or field names. This can trigger the PHP engine to attempt allocating oversized memory storage, potentially leading to a denial of service due to disk exhaustion from uncleaned temporary files.
The primary impact of CVE-2019-11048 is denial of service (DoS). An attacker can repeatedly upload files with manipulated filenames, causing the PHP engine to allocate excessive memory and create numerous temporary files. If the server's disk space is limited, this accumulation can exhaust the available storage, rendering the web server unresponsive. This can disrupt legitimate user access and potentially impact other services running on the same server. While not directly leading to data exfiltration, the DoS condition can be used as a distraction for other malicious activities. The vulnerability's reliance on HTTP file uploads means applications that heavily utilize this functionality are particularly vulnerable.
CVE-2019-11048 was publicly disclosed on May 20, 2020. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. While a public proof-of-concept may exist, it is not widely known or actively utilized. The vulnerability's impact is primarily a denial of service, which may make it less attractive to attackers compared to vulnerabilities that allow for data breaches or remote code execution.
Exploit Status
EPSS
12.72% (94% percentile)
CVSS Vector
The primary mitigation for CVE-2019-11048 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.6 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds. These may include strict filename validation on the server-side to limit the maximum length of uploaded filenames and field names. Additionally, configure the uploadmaxfilesize directive in php.ini to a reasonable value to prevent excessively large uploads. Regularly monitor disk space usage on the server to detect potential exhaustion and proactively address the issue. Consider implementing a WAF rule to block requests with unusually long filenames.
Update to PHP version 7.2.31, 7.3.18 or 7.4.6, or a later version, as appropriate for your PHP branch. This will fix the vulnerability that allows disk space exhaustion due to the accumulation of uncleaned temporary files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-11048 is a vulnerability in PHP versions 7.2.x, 7.3.x, and 7.4.x where overly long filenames in HTTP file uploads can lead to disk exhaustion due to temporary file accumulation.
You are affected if you are running PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18, or 7.4.x below 7.4.6 and have HTTP file uploads enabled.
Upgrade to PHP 7.4.6 or later. As a temporary workaround, implement strict filename validation and limit uploadmaxfilesize.
There is no current evidence of active exploitation campaigns targeting CVE-2019-11048.
Refer to the PHP security advisory: https://security.php.net/CVE-2019-11048
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.