CVE-2024-8925

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

How to fix CVE-2024-8925

To remediate CVE-2024-8925, upgrade the affected package to a fixed version below.

• —upgrade to 8.1.30 or later
• —upgrade to 8.1.30 or later
• —upgrade to 8.1.30 or later
• —upgrade to 7.4.33-1+deb11u6 or later
• —upgrade to 8.2.24-1~deb12u1 or later
• —upgrade to 8.2.24-1~deb12u1 or later

Is CVE-2024-8925 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12
• from 0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12
• from 0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12
• from 0, < 7.4.33-1+deb11u6
• from 0, < 8.2.24-1~deb12u1
• from 0, < 8.2.24-1~deb12u1

CVSS scores

References (5)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-8925
• WEBgithub.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32
• WEBlists.debian.org/debian-lts-announce/2024/10/msg00011.html
• WEBnvd.nist.gov/vuln/detail/CVE-2024-8925