PHP versions 8.1.11, 8.0.24, and 7.4.32 contain two security fixes, with assigned CVE numbers CVE-2022-31628 and CVE-2022-31629. Additionally, all three versions contain bug fixes in FPM, DOM, GMP, Intl, and a few other extensions as well as PHP core.

Vulnerabilities fixed in 8.1.11, 8.0.24, and 7.4.32

CVE-2022-31628: Phar: DOS when using quine gzip file

The new releases contain a fix for a Denial of Service security vulnerability in PHP's Phar extension when it attempts to decompress Gzip quines.

A "Gzip quine" is a gzip archive that contains itself, and when a program attempts to extract it, it can fall into an infinite recursive loop. Prior to PHP 8.1.11, 8.0.24, and 7.4.32, PHP's Phar wrapper could be tricked into an infinite recursive loop with a Gzip quine, thereby causing a Denial of Service.

The new releases fix this by adding a hard limit of 3 recursions, preventing too deep or infinite recursions.

Attempting to open a Phar archive with such a malicious recursion is now refused, and PHP emits warning: