The fb_unserialize function did not impose a depth limit for nested deserialization. That meant a maliciously constructed string could cause deserialization to recurse, leading to stack exhaustion. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
facebook hhvm |
||
facebook hhvm 4.57.0 |
||
facebook hhvm 4.58.0 |
||
facebook hhvm 4.58.1 |
||
facebook hhvm 4.59.0 |
||
facebook hhvm 4.60.0 |
||
facebook hhvm 4.61.0 |
||
facebook hhvm 4.62.0 |