DoS vulnerability when parsing multipart request body

Kurzinfo

Veroeffentlicht: 2023-02-15 20:32 UTC Importiert: 2026-05-14 18:44 UTC Quelle-ID: php_sec uid_hash: ad3a8b622f46255ed22c09369154225e0b23e1b8611c96f4cdf2d0a090803d9f

PHP Security (php/php-src GHSA)

Inhalt

Summary

The request body parsing in PHP allows any unauthenticated attacker to consume a large amount of CPU time and trigger excessive logging.

Details

The multipart body parser processes an unlimited number of file parts. The multipart body parser processes an unlimited number of field parts. The multipart body parser emits an unbound number of warning messages.

Impact

This is a remote unauthenticated Denial of Service vulnerability.

The default/production configuration is affected by this vulnerability.

The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large volume of warning messages can wear down the disk and fill it up. Complete DoS is achievable by sending many concurrent multipart requests in a loop.

PHP parses the request body before invoking any application scripts. This vulnerability affects all PHP websites that accept POST request bodies (post_max_size set to a value greater than zero, the default value is 8MB).

As a mitigation, users can decrease post_max_size close to zero. This will render most websites non-interactive and/or break file uploads.

Verknuepfte CVEs

CVE-ID	Severity (CVE.org)	CVSS (CVE.org)	EPSS	EPSS-%	Veroeffentlicht (CVE.org)
CVE-2023-0662	-	-	-	-

Quellen-Details

Bezeichnung	Name	Kategorie	Tags	Zielgruppe	Sprache	Feed-URL
PHP Security (php/php-src GHSA)	php_sec	vendor_advisory	php, runtime	-	de	https://github.com/php/php-src/security/advisories

Zurueck zur Eintrags-Liste