Uncontrolled Deserialization Vulnerability in HHVM by Facebook
CVE-2020-1898

7.5HIGH

Key Information:

Vendor

Facebook

Status
Hhvm
Vendor
CVE Published:
11 March 2021

What is CVE-2020-1898?

The fb_unserialize function in HHVM lacks a depth limit for nested deserialization, allowing an attacker to craft a malicious input that can lead to excessive recursion. This uncontrolled recursion may result in stack exhaustion, causing the application to crash or become unresponsive. Users of affected HHVM versions should update promptly to safeguard against exploitation.

Affected Version(s)

HHVM 4.62.0

HHVM 4.61.0

HHVM 4.60.0

References

https://hhvm.com/blog/2020/06/30/security-update.html
x_refsource_CONFIRM
https://github.com/facebook/hhvm/commit/1746dfb11fc004836...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.