Request Smuggling Vulnerability in PHP Standard Library's ServerConnection from PHP Standard Library
CVE-2026-48979
What is CVE-2026-48979?
The PHP Standard Library's ServerConnection contains a vulnerability wherein it fails to verify that the total bytes received in DATA frames align with the content-length header stipulated in the HEADERS frame. This flaw enables malicious clients to either send excess DATA bytes beyond what was declared or send fewer bytes and prematurely terminate the stream. Such actions can lead to significant application errors, especially for systems that rely on the declared content length. This issue only affects users engaging directly with the Psl\H2\ServerConnection while processing untrusted client requests. Those utilizing the higher-level documented APIs of the PHP Standard Library remain secure. Versions 6.1.2 and 6.2.1 contain crucial fixes addressing this issue.
Affected Version(s)
php-standard-library >= 6.1.0, < 6.1.2 < 6.1.0, 6.1.2
php-standard-library >= 6.2.0, < 6.2.1 < 6.2.0, 6.2.1
php-standard-library/h2 >= 6.1.0, < 6.1.2 < 6.1.0, 6.1.2