Login Sign Up

CVE-2021-29476

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

CVE-2021-29476 is a deserialization vulnerability in the PHP Requests HTTP library that allows remote code execution. Attackers can exploit this by sending malicious serialized data to applications using the vulnerable library. Users of Requests versions 1.6.0, 1.6.1, and 1.7.0 are affected.

💻 Affected Systems

Products:
  • Requests PHP HTTP library
Versions: 1.6.0, 1.6.1, 1.7.0
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Any PHP application using the vulnerable Requests library versions is affected regardless of configuration.

📦 What is this software?

Requests by Wordpress

View all CVEs affecting Requests →

Requests by Wordpress

View all CVEs affecting Requests →

Requests by Wordpress

View all CVEs affecting Requests →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution with the privileges of the web server process, potentially allowing file system access, data exfiltration, and further exploitation.

🟢

If Mitigated

Limited impact if proper input validation and deserialization controls are in place, though the vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH - Web applications using the vulnerable library are directly exposed to remote exploitation.
🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in a widely used library and exploitation requires sending malicious serialized data to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.0

Vendor Advisory: https://github.com/WordPress/Requests/security/advisories/GHSA-52qp-jpq7-6c54

Restart Required: No

Instructions:

1. Update Requests library to version 1.8.0 or higher. 2. For Composer projects: run 'composer update rmccue/requests'. 3. For manual installations: replace the Requests directory with the patched version. 4. Test application functionality after update.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject serialized data from untrusted sources.

Disable affected functionality

all

If possible, disable or restrict endpoints that process serialized data using the FilteredIterator.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block serialized data patterns in HTTP requests.
  • Isolate affected systems in network segments with strict access controls and monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check composer.json or the Requests library directory for version information. Look for version 1.6.0, 1.6.1, or 1.7.0.

Check Version:

For Composer: 'composer show rmccue/requests'. For manual install: check the Requests.php file header or version constant.

Verify Fix Applied:

Verify that Requests library version is 1.8.0 or higher. Check that the FilteredIterator class no longer contains the vulnerable deserialization code.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP errors related to deserialization
  • Suspicious POST/PUT requests containing serialized data patterns
  • Unexpected process execution from web server context

Network Indicators:

  • HTTP requests containing serialized PHP object patterns (O:)
  • Unusual outbound connections from web servers

SIEM Query:

web_logs | where url contains 'serialize' or body contains 'O:' or body contains 's:'

📊 Metadata

CVE ID: CVE-2021-29476
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: April 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29476, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)