CVE-2024-57071
📋 TL;DR
A prototype pollution vulnerability in php-parser's lib.combine function allows attackers to manipulate object prototypes by supplying crafted payloads, potentially causing Denial of Service (DoS). This affects applications using php-parser v3.2.1 to parse PHP code, particularly web applications and development tools that process untrusted input.
💻 Affected Systems
- php-parser
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to application crashes or resource exhaustion from infinite loops or memory corruption triggered by prototype pollution.
Likely Case
Application instability or crashes when processing maliciously crafted PHP code, leading to partial or temporary DoS.
If Mitigated
Limited impact with proper input validation and sandboxing, though prototype pollution could still cause unexpected behavior.
🎯 Exploit Status
Exploitation requires crafting specific payloads to trigger prototype pollution; no public exploit code is available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.2.2 or later
Vendor Advisory: https://github.com/glayzzle/php-parser
Restart Required: No
Instructions:
1. Update php-parser to version 3.2.2 or higher using npm: 'npm update php-parser'. 2. Verify the update with 'npm list php-parser'. 3. Test application functionality after update.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject malformed PHP code before it reaches the lib.combine function.
Function Restriction
allDisable or restrict usage of the lib.combine function if not required, or wrap it with safe object handling.
🧯 If You Can't Patch
- Isolate the application in a sandboxed environment to limit impact of potential DoS.
- Implement rate limiting and monitoring to detect and block suspicious parsing attempts.
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list php-parser' to see if version 3.2.1 is installed.Check Version:
npm list php-parserVerify Fix Applied:
After updating, confirm version is 3.2.2 or higher with 'npm list php-parser' and test parsing functionality.📡 Detection & Monitoring
Log Indicators:
- Application crashes or high memory usage when parsing PHP code
- Error logs mentioning prototype pollution or lib.combine failures
Network Indicators:
- Unusual spikes in requests to endpoints that process PHP code
- Increased error responses from parsing services
SIEM Query:
source="application.logs" AND ("php-parser" OR "lib.combine") AND (error OR crash OR memory)