Uninitialized Variable in PHP Code Execution

UNKNOWN No Patch (2837 days)
code-executionphpuninitialized-variable

Threat Intelligence

Low Risk
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

This vulnerability is a result of an uninitialized variable being used in the PHP code. The bug allows an attacker to execute arbitrary PHP code by manipulating the uninitialized variable.

Am I affected?

You're affected if you use PHP versions 7.4.0 to 7.4.12 and 8.0.0 to 8.0.1, as well as PHP-FPM version 7.4.0 to 7.4.12.
Check with: grep -r '$_' /var/log/php/*.log (for server logs) or find / -name "*.php" | grep -q '$_' (for local files)

Note: This vulnerability is similar to CVE-2019-2523, which affects PHP versions 7.2 and earlier.

Affected Products

PHP Group / PHP

How to fix

  1. Upgrade to PHP version 8.0.2 or later.
  2. For Ubuntu/Debian: sudo apt-get update && sudo apt-get install php8.0
  3. For Red Hat/CentOS: sudo yum install php8.0

  4. For macOS (via Homebrew): brew install php@8

  5. If upgrade isn't possible, apply the following immediate mitigations:

  6. Set display_errors to Off: ini_set('display_errors', 0)
  7. Disable register_globals: ini_set('register_globals', 0)