CVE-2024-3096 MEDIUM

CVE-2024-3096: PHP function password_verify can erroneously return true when argument contains NUL

Vendor Php Group
Product PHP
Weakness CWE-20 · Input validation
Published April 29, 2024
Last update November 4, 2025
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

Key dates

02Disclosure timeline

April 29, 2024 CVE published
November 4, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-1854 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2019-15957 Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Command Injection Vulnerability CVE-2024-8755 Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. CVE-2020-7869 CVE-2026-2880 @fastify/middie has an improper path normalization vulnerability