Platform
php
Component
php
Fixed in
7.2.27
7.3.14
7.4.2
CVE-2020-7060 describes a buffer overflow vulnerability affecting PHP versions 7.2.x (prior to 7.2.27), 7.3.x (prior to 7.3.14), and 7.4.x (prior to 7.4.2). This vulnerability arises when using certain mbstring functions to convert multibyte encodings, allowing attackers to supply data that triggers a read past the allocated buffer. The vulnerability can lead to information disclosure or a denial-of-service crash. A fix is available in PHP 7.4.2.
An attacker could exploit this vulnerability by crafting specific input data designed to trigger the buffer overflow within the mbflfiltconvbig5wchar function. Successful exploitation could result in the disclosure of sensitive information stored in memory, potentially including configuration data, session information, or even code. More critically, the overflow could lead to a denial-of-service (DoS) condition, crashing the PHP process and disrupting the web application's functionality. The impact is particularly severe for applications heavily reliant on multibyte string processing or those handling untrusted user input.
CVE-2020-7060 was publicly disclosed on February 10, 2020. While no widespread exploitation campaigns have been publicly reported, the vulnerability's relatively simple nature and potential for DoS attacks make it a potential target. No public proof-of-concept exploits were immediately available, but the potential for exploitation remains. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
6.40% (91% percentile)
CVSS Vector
The primary mitigation for CVE-2020-7060 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.2 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any data processed by mbstring functions to prevent the injection of malicious multibyte sequences. Web application firewalls (WAFs) configured to detect and block oversized input payloads could also provide a temporary layer of protection. Monitor PHP error logs for any unusual crashes or memory-related errors that might indicate exploitation attempts.
Update to the latest version of PHP. If you are using PHP 7.2.x, update to version 7.2.27 or higher. If you are using PHP 7.3.x, update to version 7.3.14 or higher. If you are using PHP 7.4.x, update to version 7.4.2 or higher.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-7060 is a buffer overflow vulnerability in PHP versions 7.2.x, 7.3.x, and 7.4.x. It allows attackers to trigger a read past the allocated buffer when using certain mbstring functions, potentially leading to information disclosure or a crash.
You are affected if you are running PHP versions 7.2.0–7.2.26, 7.3.0–7.3.13, or 7.4.0–7.4.1. Check your PHP version using php -v.
Upgrade to PHP 7.4.2 or later to resolve the vulnerability. If immediate upgrade is not possible, implement input validation and sanitization on mbstring functions.
While no widespread exploitation campaigns have been publicly reported, the vulnerability's potential for DoS attacks makes it a potential target. Monitor your systems for suspicious activity.
Refer to the official PHP security advisory: https://security.php.net/CVE-2020-7060
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.