Platform
php
Component
php
Fixed in
7.3.15
7.4.3
CVE-2020-7061 describes a buffer overflow vulnerability affecting PHP versions 7.3.x prior to 7.3.15 and 7.4.x prior to 7.4.3. This vulnerability arises when extracting PHAR (PHP Archive) files on Windows systems utilizing the phar extension. Successful exploitation could lead to information disclosure or application crashes, impacting system stability and potentially exposing sensitive data.
An attacker could exploit this vulnerability by crafting a malicious PHAR archive designed to trigger the buffer overflow during extraction on a vulnerable PHP installation. The one-byte read past the allocated buffer could allow an attacker to read sensitive data from memory, potentially including configuration files, session data, or other confidential information. While a direct remote code execution (RCE) is not immediately apparent, the information disclosure aspect could be a stepping stone for further attacks. The blast radius extends to any system running vulnerable PHP versions and processing untrusted PHAR archives. This vulnerability shares similarities with other memory corruption bugs, where seemingly minor overflows can be chained to achieve more significant control.
CVE-2020-7061 was publicly disclosed on February 27, 2020. There is no indication of active exploitation campaigns targeting this vulnerability at this time. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) exploits are available, demonstrating the feasibility of exploiting the buffer overflow.
Exploit Status
EPSS
2.77% (86% percentile)
CVSS Vector
The primary mitigation for CVE-2020-7061 is to upgrade to a patched version of PHP. Upgrade to PHP 7.4.3 or later to eliminate the vulnerability. If upgrading is not immediately feasible, consider restricting the execution of PHAR archives from untrusted sources. Implement strict file access controls to prevent unauthorized PHAR file uploads or modifications. Web application firewalls (WAFs) configured to inspect PHAR archive contents for suspicious patterns could provide an additional layer of defense, although this is not a guaranteed solution. After upgrade, confirm the fix by attempting to extract a known malicious PHAR archive (in a controlled environment) and verifying that the overflow does not occur.
Update to PHP version 7.3.15 or higher, or to version 7.4.3 or higher. This will fix the buffer overflow vulnerability in the PHAR extension when extracting files on Windows.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-7061 is a medium severity vulnerability in PHP versions 7.3.x and 7.4.x that allows a buffer overflow when extracting PHAR files on Windows, potentially leading to information disclosure or crashes.
You are affected if you are running PHP 7.3.x versions prior to 7.3.15 or PHP 7.4.x versions prior to 7.4.3 and process PHAR archives, especially from untrusted sources.
Upgrade to PHP 7.4.3 or later to resolve the vulnerability. If immediate upgrade is not possible, restrict PHAR execution from untrusted sources.
There is currently no evidence of active exploitation campaigns targeting CVE-2020-7061, but public PoCs exist.
Refer to the official PHP security advisory: https://security.php.net/CVE-2020-7061
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.