CVE-2024-5585 HIGH

CVE-2024-5585: Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)

Vendor Php Group
Product PHP
Weakness CWE-116
Published June 9, 2024
Last update February 13, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

Key dates

02Disclosure timeline

June 9, 2024 CVE published
February 13, 2025 Record updated