CVE-2021-3007 – CVE-2021-3007 is a PHP deserialization vulnerab... (How to Fix)

Q: What is the severity of CVE-2021-3007?

CVE-2021-3007 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3007 is a PHP deserialization vulnerability in Laminas Project's laminas-http component (and Zend Framework) that allows remote code execution when attacker-controlled data is deserialized. The vulnerability exists in the __destruct method of the Stream class, which can be triggered to execute arbitrary code. This affects applications using vulnerable versions of laminas-http or Zend Framework that deserialize untrusted input.

📋 TL;DR

CVE-2021-3007 is a PHP deserialization vulnerability in Laminas Project's laminas-http component (and Zend Framework) that allows remote code execution when attacker-controlled data is deserialized. The vulnerability exists in the __destruct method of the Stream class, which can be triggered to execute arbitrary code. This affects applications using vulnerable versions of laminas-http or Zend Framework that deserialize untrusted input.

💻 Affected Systems

Products:

Laminas Project laminas-http
Zend Framework

Versions: laminas-http before 2.14.2, Zend Framework 3.0.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when applications deserialize untrusted input. The vendor considers this a PHP language vulnerability but added type checking to prevent exploitation in unrecommended use cases.

📦 What is this software?

Laminas Http by Getlaminas

View all CVEs affecting Laminas Http →

Zend Framework by Zend

View all CVEs affecting Zend Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to execute arbitrary commands, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to web server compromise, data theft, or botnet recruitment.

🟢

If Mitigated

Limited impact if proper input validation and deserialization controls prevent attacker-controlled data from reaching vulnerable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit requires attacker to control deserialized data. Public proof-of-concept exists and has been used in botnet campaigns like FreakOut.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: laminas-http 2.14.2 and later

Vendor Advisory: https://github.com/laminas/laminas-http/releases/tag/2.14.2

Restart Required: No

Instructions:

1. Update laminas-http to version 2.14.2 or later using composer: 'composer require laminas/laminas-http:^2.14.2' 2. For Zend Framework, migrate to Laminas Project components as Zend Framework is no longer supported.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to prevent untrusted data from being deserialized

Disable Dangerous PHP Functions

linux

Restrict or disable PHP functions that could be used in exploitation

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block deserialization attacks
Isolate affected systems in network segments with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check composer.json or vendor/laminas/laminas-http/composer.json for version below 2.14.2

Check Version:

composer show laminas/laminas-http | grep versions

Verify Fix Applied:

Verify laminas-http version is 2.14.2 or higher: 'composer show laminas/laminas-http'

📡 Detection & Monitoring

Log Indicators:

Unusual PHP process execution patterns
Deserialization errors in application logs
Suspicious POST/PUT requests with serialized data

Network Indicators:

HTTP requests containing serialized PHP objects
Outbound connections from web servers to unknown IPs

SIEM Query:

source="web_logs" AND ("__destruct" OR "unserialize" OR "phar://")

📊 Metadata

CVE ID: CVE-2021-3007

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: January 4, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md Exploit,Third Party Advisory
https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php Patch,Third Party Advisory
https://github.com/laminas/laminas-http/pull/48 Patch,Third Party Advisory
https://github.com/laminas/laminas-http/releases/tag/2.14.2 Third Party Advisory
https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ Exploit,Third Party Advisory
https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md Exploit,Third Party Advisory
https://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.php Patch,Third Party Advisory
https://github.com/laminas/laminas-http/pull/48 Patch,Third Party Advisory
https://github.com/laminas/laminas-http/releases/tag/2.14.2 Third Party Advisory
https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3007, you might also want to check these: