Platform
php
Component
php
Fixed in
7.2.1
7.3.1
7.4.1
CVE-2020-7066 is a vulnerability affecting PHP versions 7.2.x, 7.3.x, and 7.4.x. When using the get_headers() function with user-supplied URLs containing zero characters (\0), the URL is silently truncated. This can lead to software making incorrect assumptions about the target URL and potentially sending information to the wrong server, leading to unintended data exposure or misdirection.
The primary impact of CVE-2020-7066 lies in the potential for attackers to manipulate the target of getheaders() requests. By injecting zero characters into a user-controlled URL passed to getheaders(), an attacker can truncate the URL, effectively changing the destination. This could lead to sensitive data being sent to an attacker-controlled server instead of the intended recipient. For example, an application using getheaders() to verify the legitimacy of a URL might be tricked into accepting a malicious URL due to the truncation. The blast radius is dependent on the application's usage of the getheaders() function and the sensitivity of the data being handled. While not a direct remote code execution vulnerability, the misdirection of requests can have significant consequences depending on the application's functionality.
CVE-2020-7066 was published on April 1, 2020. Its severity is pending further evaluation, but currently rated as MEDIUM (CVSS 5.3). There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. It is not currently listed on CISA’s Known Exploited Vulnerabilities catalog. While a POC is not widely available, the vulnerability's nature makes it relatively straightforward to demonstrate, increasing the likelihood of future exploitation.
Exploit Status
EPSS
1.53% (81% percentile)
CVSS Vector
The recommended mitigation for CVE-2020-7066 is to upgrade to PHP version 7.4.4 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation on URLs passed to getheaders(). Specifically, sanitize user-supplied URLs to remove or escape zero characters (\0). Web application firewalls (WAFs) can be configured to detect and block requests containing suspicious URL patterns. Additionally, review application code that utilizes getheaders() to ensure proper error handling and validation of the returned headers to prevent unexpected behavior. After upgrading, confirm the fix by attempting to use get_headers() with a URL containing a zero character; the URL should not be truncated.
Actualice a la versión 7.2.29, 7.3.16 o 7.4.4 de PHP, o superior, según corresponda a su versión actual. Esto corregirá la vulnerabilidad que permite la truncación de URLs al usar la función get_headers() con URLs proporcionadas por el usuario que contengan caracteres nulos.
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability in PHP where URLs passed to the get_headers() function can be silently truncated if they contain zero characters, potentially sending data to the wrong server.
You are affected if you're using PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16, or 7.4.x below 7.4.4.
Upgrade to PHP version 7.4.4 or later. If upgrading isn't possible, sanitize user-supplied URLs to remove zero characters.
Currently, there are no known public exploits or active campaigns targeting this vulnerability, but the potential for exploitation exists.
Refer to the official CVE entry on the NVD website: https://nvd.nist.gov/vuln/detail/CVE-2020-7066
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.