CVE CyberSecurity Database News

CVE-2024-11235 - Dangerous PHP Use-After-Free Vulnerability (RCE Risk with __set, ??=, and Exceptions)

Poster -

Recently, security researchers discovered a critical vulnerability affecting recent versions of PHP. Tracked as CVE-2024-11235, this bug exists in PHP 8.3.* before 8.3.19 and PHP 8.4.* before 8.4.5. A specific chain involving PHP's magic __set() handler, the null coalescing assignment operator (??=), and exceptions can trigger a *use-after-free* memory error.

What’s the Bug?

In certain situations, PHP's __set() function and the ??= operator (short for "null coalescing assignment") do not play nicely together when an exception is thrown inside the property assignment logic.

If an attacker can control memory layout—possibly by sending crafted inputs—they might be able to execute arbitrary code.

Within __set(), an exception is thrown.

4. PHP's engine mishandles cleanup, leading to a "use-after-free," where freed memory might be used for something dangerous—like executing attacker-controlled code.

Exploit Example

Below is a simplified (non-exploiting) PHP script that demonstrates the buggy pattern. This is safe to run, but highlights how exceptions and __set interact. Do NOT attempt real exploitation skills on public systems—this is for educational/research purposes only.

<?php

class A {
    public function __set($name, $value) {
        // Simulate a problem causing an exception
        throw new Exception("Oops inside __set()");
    }
}

$obj = new A();

try {
    // Triggers __set(), which immediately throws
    $obj->foo ??= 123;
} catch (Exception $e) {
    echo "Caught exception: " . $e->getMessage() . PHP_EOL;
}
?>

On affected PHP versions, an attacker may further manipulate memory layout (by supplying many input strings, objects, etc.) to eventually overwrite freed chunks and trigger arbitrary code execution (*RCE*).

The problematic code involves only a single operator and a magic method—common in real-world code.

- Attackers who can heavily influence program state (for example, supplying deeply-nested or recursive inputs, large numbers of objects/strings, etc.) might use heap feng shui to set up exploitation—potentially from remote requests.

Once control is achieved, attackers could execute arbitrary code as your web server’s user.

Proof-of-concept (POC) exploits: At the time of writing, no public POC reliably achieves RCE, but variants are circulating in private and security community channels.

Mitigation: If you use property overloading (magic methods like __set), especially combined with null coalescing assignment and exception handling, you're vulnerable!

References

- CVE Details: CVE-2024-11235
- PHP official change log
- Security fix in PHP GitHub PR
- PHP bug report #82000 (example bug, similar context)

Takeaway

CVE-2024-11235 shows how simple PHP features, when mixed in the wrong way, can expose critical vulnerabilities—even in modern versions. If you or your team manage PHP code, update now!

If you want to talk technical details or need help testing your environment, the PHP community on the PHP Internals Mailing List and your distro's security channels are good places to start.

Timeline

Published on: 04/04/2025 18:15:48 UTC
Last modified on: 04/30/2025 19:25:17 UTC