New: 28 October 2019

A vulnerability in PHP-FPM can, in certain configurations and versions, allow a remote attacker to gain remote code execution on a system. A proof-of-concept exploit currently exists that works with PHP-FPM when used with NGINX; research into vulnerabilities with other implementations is ongoing.

PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation that allows scripts to be executed by an interpreter outside of the webserver.

Recommended Actions

On October 24, PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) were released to address this vulnerability along with other scheduled bug fixes; it is recommended to upgrade to one of these versions immediately.

Affected Versions

Versions of PHP running on a web server with the following versions:

  • Prior to 7.1.33,
  • 2.x prior to 7.2.24, or
  • 3.x prior to 7.3.11