Login Sign Up

CVE-2024-2757

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in PHP's mb_encode_mimeheader() function causes infinite loops when processing specific input patterns, leading to denial of service. Any PHP application using this function with untrusted input is affected, particularly web applications processing user-submitted data for email headers or MIME encoding.

💻 Affected Systems

Products:
  • PHP
Versions: PHP 8.3.0 through 8.3.4
Operating Systems: All operating systems running affected PHP versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using mb_encode_mimeheader() function with untrusted input. PHP installations without mbstring extension are not vulnerable.

📦 What is this software?

Php by Php

View all CVEs affecting Php →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion from infinite loops, potentially affecting multiple services on shared infrastructure.

🟠

Likely Case

Targeted DoS attacks against vulnerable endpoints causing service degradation or temporary outages.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted input to applications using the vulnerable function. No authentication needed if the vulnerable endpoint is publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PHP 8.3.5

Vendor Advisory: https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq

Restart Required: Yes

Instructions:

1. Update PHP to version 8.3.5 or later. 2. For Linux: Use package manager (apt-get upgrade php, yum update php, etc.). 3. For Windows: Download and install from php.net. 4. Restart web server/service (Apache, Nginx, PHP-FPM).

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize input before passing to mb_encode_mimeheader() function

Disable mbstring Extension

all

Remove or disable mbstring extension if not required (breaks mb_encode_mimeheader functionality)

php -m | grep mbstring
Comment out extension=mbstring in php.ini

🧯 If You Can't Patch

  • Implement strict input validation and length limits for data passed to mb_encode_mimeheader()
  • Deploy WAF rules to block suspicious patterns in input to vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check PHP version and if mbstring extension is loaded: php -v && php -m | grep mbstring

Check Version:

php -v | head -1

Verify Fix Applied:

Confirm PHP version is 8.3.5 or higher: php -v

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes on PHP processes
  • Increased mb_encode_mimeheader function calls
  • Request timeouts on specific endpoints

Network Indicators:

  • Repeated requests with long strings to endpoints using email/MIME functionality
  • Unusual patterns in user input containing long non-space character sequences

SIEM Query:

source="php_error.log" AND ("mb_encode_mimeheader" OR "execution time exceeded")

📊 Metadata

CVE ID: CVE-2024-2757
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: April 29, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2757, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)