Platform
php
Component
php
Fixed in
7.2.28
7.3.15
7.4.3
CVE-2020-7062 describes a Null Pointer Dereference vulnerability affecting PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3. This vulnerability arises during file uploads when progress tracking is enabled, but the session.upload_progress.cleanup setting is disabled. A failed upload can trigger an attempt to clean up non-existent data, resulting in a crash.
Successful exploitation of CVE-2020-7062 can lead to a denial-of-service (DoS) condition, causing the PHP interpreter to crash. This can disrupt web applications relying on PHP, potentially impacting availability and user access. While not directly exploitable for remote code execution, a crash can be leveraged to disrupt services and potentially trigger other vulnerabilities in the application. The impact is particularly severe for applications heavily reliant on file uploads and progress tracking, such as media sharing platforms or e-commerce sites.
CVE-2020-7062 was publicly disclosed on February 27, 2020. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the potential for DoS attacks makes it a concern. There are publicly available proof-of-concept exploits demonstrating the crash condition. This CVE is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
1.16% (78% percentile)
CVSS Vector
The primary mitigation for CVE-2020-7062 is to upgrade to a patched version of PHP. Upgrade to PHP 7.4.3 or later to resolve the vulnerability. If an immediate upgrade is not feasible, consider temporarily disabling session.upload_progress.cleanup, although this may impact upload progress tracking functionality. Monitor PHP error logs for crash reports related to file uploads, which could indicate exploitation attempts. After upgrading, confirm the fix by attempting a file upload and verifying that the upload process completes without errors or crashes.
Update to the latest version of PHP. Specifically, update to version 7.2.28 or higher, 7.3.15 or higher, or 7.4.3 or higher. This fixes the null pointer dereference vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-7062 is a vulnerability in PHP 7.4 and earlier versions that can cause a crash during file uploads when progress tracking is enabled but cleanup is disabled, leading to a denial-of-service.
You are affected if you are running PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, or 7.4.x below 7.4.3 and using file upload functionality with progress tracking enabled.
Upgrade to PHP 7.4.3 or later to resolve the vulnerability. As a temporary workaround, you can disable session.upload_progress.cleanup, but this will disable upload progress tracking.
While no confirmed active exploitation campaigns are publicly known, the potential for DoS attacks makes it a concern, and proof-of-concept exploits are available.
Refer to the PHP security advisory at https://security.php.net/CVE-2020-7062 for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.