Platform
php
Component
php
Fixed in
7.3.31
7.4.24
8.0.11
CVE-2021-21706 is a directory traversal vulnerability affecting PHP versions 7.3.x, 7.4.x, and 8.0.x running on Microsoft Windows. This flaw allows an attacker to potentially write files outside the intended target directory when extracting a specially crafted ZIP archive. The vulnerability impacts versions 7.3.x before 7.3.31, 7.4.x before 7.4.24, and 8.0.x before 8.0.11. A fix is available in PHP 8.0.11.
An attacker can exploit this vulnerability by crafting a malicious ZIP file designed to extract files outside the intended directory. On a Windows system, this could allow them to overwrite critical system files or create files in sensitive locations, potentially leading to privilege escalation or denial of service. The impact is amplified if the PHP process is running with elevated privileges. While the vulnerability is limited to Windows environments, many web servers rely on PHP, making it a widespread concern. Successful exploitation requires the attacker to be able to upload or otherwise provide a ZIP file to the PHP application.
CVE-2021-21706 was publicly disclosed on October 4, 2021. There is no indication of active exploitation at this time, but the availability of a public CVE and the relatively simple nature of the exploit make it a potential target. The EPSS score is likely low to medium, reflecting the need for attacker interaction and the Windows-specific nature of the vulnerability. No KEV listing as of this writing.
Exploit Status
EPSS
0.53% (67% percentile)
CVSS Vector
The primary mitigation for CVE-2021-21706 is to upgrade to PHP version 8.0.11 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file uploads to trusted sources and validate ZIP file contents before extraction. Implement strict directory permissions to limit the impact of potential file overwrites. Web Application Firewalls (WAFs) can be configured to detect and block suspicious ZIP file uploads. Monitor PHP error logs for any unusual file creation or modification activity.
Update to PHP version 7.3.31, 7.4.24 or 8.0.11 or higher. This corrects the vulnerability that allows files to be extracted outside the destination directory in Windows environments.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-21706 is a directory traversal vulnerability in PHP versions 7.3.x, 7.4.x, and 8.0.x on Windows. It allows attackers to potentially write files outside the intended directory when extracting malicious ZIP files.
You are affected if you are running PHP 7.3.x before 7.3.31, 7.4.x before 7.4.24, or 8.0.x before 8.0.11 on a Microsoft Windows system.
Upgrade to PHP version 8.0.11 or later. As a temporary workaround, restrict file uploads and validate ZIP file contents before extraction.
There is no current evidence of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official PHP security advisory: https://www.php.net/security/advisory/2.0/php-8.0-21706
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.