Login Sign Up

CVE-2020-1900

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2020-1900 is a use-after-free vulnerability in HHVM's object unserialization that occurs when dynamic properties are not properly pre-reserved in memory arrays. This allows attackers to potentially execute arbitrary code or cause denial of service. Affected systems are those running vulnerable versions of HHVM.

💻 Affected Systems

Products:
  • HHVM
Versions: Prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0
Operating Systems: All platforms running HHVM
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using HHVM's unserialize() function with dynamic properties is vulnerable.

📦 What is this software?

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

Hhvm by Facebook

View all CVEs affecting Hhvm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or memory corruption, potentially leading to data loss.

🟢

If Mitigated

Limited impact if proper input validation and serialization controls are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious serialized objects, but no public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.32.3, v4.56.1, v4.57.1, v4.58.2, v4.59.1, v4.60.1, v4.61.1, v4.62.1 and later

Vendor Advisory: https://hhvm.com/blog/2020/06/30/security-update.html

Restart Required: Yes

Instructions:

1. Identify current HHVM version. 2. Update to patched version using package manager. 3. Restart HHVM service. 4. Verify version after restart.

🔧 Temporary Workarounds

Disable unserialize of untrusted data

all

Implement input validation to prevent unserialization of user-controlled data

Use safe serialization alternatives

all

Replace unserialize() with JSON decode or other safe data formats

🧯 If You Can't Patch

  • Implement strict input validation to reject serialized objects from untrusted sources
  • Deploy web application firewall rules to detect and block serialized object payloads

🔍 How to Verify

Check if Vulnerable:

Check HHVM version with: hhvm --version

Check Version:

hhvm --version

Verify Fix Applied:

Verify version is patched (v4.32.3+, v4.56.1+, etc.) and test unserialization functionality

📡 Detection & Monitoring

Log Indicators:

  • Memory corruption errors
  • Segmentation faults in HHVM logs
  • Unusual unserialization patterns

Network Indicators:

  • Malformed serialized objects in HTTP requests
  • Unexpected HHVM process crashes

SIEM Query:

source="hhvm.log" AND ("segmentation fault" OR "memory corruption" OR "unserialize")

📊 Metadata

CVE ID: CVE-2020-1900
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: March 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-1900, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)