Denial of Service Vulnerability in Mikecao Flight PHP Framework
CVE-2014-125127

7.5HIGH

Key Information:

Vendor: FlightPHP
Status: Core
Vendor: CVE Published:; 3 September 2025

What is CVE-2014-125127?

The Mikecao Flight PHP framework is susceptible to Denial of Service attacks due to the immediate loading of request bodies in its Request class constructor. This behavior occurs across all HTTP requests, irrespective of whether the application actually requires the entire request body. An attacker can exploit this design flaw by sending requests with excessively large data payloads, leading to significant memory consumption. This can exhaust server memory resources, resulting in application crashes or denial of service to legitimate users. The issue has been addressed in version 1.2, which introduced lazy loading of request bodies to mitigate this risk.

Affected Version(s)

core v1.0

References

https://github.com/mikecao/flight/pull/125

https://github.com/mikecao/flight/commit/da40e03eb4a39745...

https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Co...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 3, 2025
Vulnerability Reserved
Aug 27, 2025

FlightPHP

What is CVE-2014-125127?

Affected Version(s)

References

CVSS V3.1

Timeline