The PHP Foundation recently completed an extensive audit of the PHP core, focusing on security vulnerabilities. Commissioned by the Sovereign Tech Agency and conducted in partnership with the Open Source Technology Improvement Fund (OSTIF), the two-month analysis was performed by the Quarkslab security group. Due to operational costs, the audit targeted the most critical components of PHP’s codebase rather than the entire source. The effort paid off, uncovering 27 issues, 17 of which were security-related, including 3 high-risk vulnerabilities and 5 of medium severity.
Affected components include the PHP-FPM “binding code” between master and worker processes, the PDO extension, the native MySQL driver, RFC 1867, the OpenSSL extension, and hashing-related functionalities. No reports indicate these vulnerabilities have been exploited, and the report notes that triggering them is challenging. Conducted last year, the audit led to fixes for all identified issues. Users are urged to upgrade to the latest PHP versions, with PHP 8.3.20 and PHP 8.4.6 released recently. The full 106-page report is available online as a PDF.
