Login Sign Up

CVE-2020-1888

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2020-1888 is an out-of-bounds memory read vulnerability in HHVM's JSON decoder that occurs when processing backslash characters. This can cause denial of service (DoS) by crashing the HHVM process. Affected users include anyone running vulnerable HHVM versions to serve PHP applications.

💻 Affected Systems

Products:
  • HHVM
Versions: Versions prior to 4.8.7, 4.9.0-4.32.0, 4.33.0-4.38.0, and 4.39.0-4.45.0
Operating Systems: All operating systems running HHVM
Default Config Vulnerable: ⚠️ Yes
Notes: All HHVM installations using JSON parsing are vulnerable by default.

📦 What is this software?

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through HHVM process crashes leading to sustained denial of service.

🟠

Likely Case

Intermittent service disruptions when malformed JSON triggers the vulnerability.

🟢

If Mitigated

Minimal impact with proper input validation and network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malformed JSON to HHVM endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.8.7, 4.32.1, 4.38.1, 4.46.0 and later

Vendor Advisory: https://hhvm.com/blog/2020/02/20/security-update.html

Restart Required: Yes

Instructions:

1. Identify current HHVM version. 2. Upgrade to patched version. 3. Restart HHVM service. 4. Verify fix with test JSON payloads.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement JSON input validation to reject malformed data before HHVM processing.

# Implement in application code or web server configuration

Rate Limiting

all

Limit request rates to reduce DoS impact potential.

# Configure in web server or load balancer

🧯 If You Can't Patch

  • Implement WAF rules to block malformed JSON patterns
  • Isolate HHVM instances behind reverse proxies with input filtering

🔍 How to Verify

Check if Vulnerable:

Check HHVM version against affected ranges: hhvm --version

Check Version:

hhvm --version

Verify Fix Applied:

Test with controlled JSON payloads containing backslash sequences and monitor for crashes.

📡 Detection & Monitoring

Log Indicators:

  • HHVM process crashes
  • Segmentation fault errors in logs
  • Unexpected service restarts

Network Indicators:

  • Spikes in malformed JSON requests
  • Unusual backslash patterns in payloads

SIEM Query:

source="hhvm.log" AND ("segmentation fault" OR "crash" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2020-1888
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-125
Published: March 3, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-1888, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)