Platform
php
Component
php
Fixed in
7.3.13
7.4.1
CVE-2019-11049 is a double-free vulnerability affecting the PHP mail() function on Windows systems. This flaw can lead to memory corruption when custom headers are supplied in lowercase, potentially causing application crashes or unexpected behavior. The vulnerability affects PHP versions 7.3.0 through 7.4.1. It was fixed in PHP version 7.4.1.
CVE-2019-11049 affects PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows. It occurs when custom headers are supplied to the mail() function and these headers are provided in lowercase. A mistake in the code, introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, can lead to a double-free of memory, potentially resulting in application crashes or even malicious code execution. The severity of this vulnerability is rated as 6.5 on the CVSS scale. The vulnerability is Windows-specific due to how PHP handles headers on that operating system. The risk increases if the web application uses the mail() function to send emails and allows users to control the content of the headers.
This vulnerability is exploited by sending an email with custom headers in lowercase through PHP's mail() function. An attacker could manipulate the headers to cause a double-free of memory, which could potentially allow arbitrary code execution on the server. As the vulnerability is Windows-specific, Linux-based systems are not affected. The likelihood of exploitation depends on whether the web application allows users to control the content of email headers. The lack of a KEV indicates that exploitation is complex and requires a deep understanding of PHP's internal workings.
Exploit Status
EPSS
2.80% (86% percentile)
CVSS Vector
The solution to mitigate CVE-2019-11049 is to update to a PHP version that has patched the vulnerability. Specifically, upgrading to PHP 7.3.13 or higher, or PHP 7.4.1 or higher, is recommended. Additionally, review your application code to ensure custom headers are not being used insecurely. If an immediate update isn’t possible, implement input validation to ensure custom headers are sent in a secure format, although this is not a complete solution and updating is the most recommended measure. A KEV (Kernel Exploit Vulnerability) is not available for this vulnerability, meaning there are no known public exploits, but applying the fix is important to prevent future attacks.
Actualice a PHP versión 7.3.13 o superior, o a la versión 7.4.1 o superior. Esto corrige la vulnerabilidad de doble liberación de memoria al usar la función mail() con encabezados personalizados en minúsculas en Windows.
Vulnerability analysis and critical alerts directly to your inbox.
PHP versions 7.3.x prior to 7.3.13 and version 7.4.0 on Windows are vulnerable.
Check the PHP version installed on your server. If it’s a vulnerable version, update to a patched version.
Yes, versions 7.3.13 and 7.4.1 or higher include the fix for this vulnerability.
Implement input validation to ensure custom headers are sent in a secure format, although this is not a complete solution.
Although there are no known public exploits, it is recommended to apply the fix to prevent future attacks.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.