Platform
php
Component
php
Fixed in
7.2.27
7.3.14
7.4.2
CVE-2020-7059 describes a buffer overflow vulnerability affecting PHP versions 7.2.x (prior to 7.2.27), 7.3.x (prior to 7.3.14), and 7.4.x (prior to 7.4.2). This vulnerability arises within the fgetss() function when processing data with tag stripping enabled. An attacker can craft malicious input that causes the function to read beyond the allocated buffer, potentially leading to information disclosure or a denial-of-service crash.
The primary impact of CVE-2020-7059 is the potential for information disclosure and denial of service. An attacker who can control the input to the fgetss() function can craft a payload that triggers the buffer overflow. This could allow them to read sensitive data from memory, potentially including configuration files, session data, or other critical information. The crash resulting from the overflow could also disrupt the availability of the PHP application, leading to downtime and service interruption. While direct remote code execution is unlikely, the information disclosure aspect is concerning, as it could be a stepping stone for further attacks.
CVE-2020-7059 was publicly disclosed on February 10, 2020. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of triggering the buffer overflow.
Exploit Status
EPSS
2.37% (85% percentile)
CVSS Vector
The recommended mitigation for CVE-2020-7059 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.2 or later. If upgrading immediately is not feasible, consider implementing input validation to sanitize data passed to the fgetss() function, particularly when tag stripping is enabled. While not a complete fix, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect buffer overflow attempts might offer some protection, but relying solely on a WAF is not recommended. Monitor PHP error logs for any unusual activity or crashes that might indicate exploitation attempts.
Update to the latest version of PHP. If you are using versions 7.2.x, update to version 7.2.27 or higher. If you are using versions 7.3.x, update to version 7.3.14 or higher. If you are using versions 7.4.x, update to version 7.4.2 or higher.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-7059 is a medium severity buffer overflow vulnerability in PHP versions 7.2.0–7.4.2 affecting the fgetss() function when stripping tags, potentially leading to information disclosure or crashes.
If you are using PHP versions 7.2.x prior to 7.2.27, 7.3.x prior to 7.3.14, or 7.4.x prior to 7.4.2, you are potentially affected by this vulnerability.
Upgrade to PHP 7.4.2 or later to remediate the vulnerability. Input validation can provide a temporary mitigation if immediate upgrade is not possible.
While there are public proof-of-concept exploits available, there is currently no evidence of active exploitation campaigns targeting this vulnerability.
Refer to the official PHP security advisory for details: https://security.php.net/CVE-2020-7059
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.