PHP PHAR directory entry parsing stack buffer overflow
CVE-2023-3824 affects PHP when processing PHAR archives. In PHP 8.0.x before 8.0.30, 8.1.x before 8.1.22, and 8.2.x before 8.2.8, insufficient length checking while reading PHAR directory entries during phar file loading can trigger a stack-based buffer overflow. The flaw arises in PHAR archive parsing logic and may result in memory corruption; under favorable conditions it may be exploitable for remote code execution.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository demonstrates a proof-of-concept exploit for PHP applications that allow PHAR file uploads and have 'phar.readonly = Off'. The main file, index.php, provides a web interface to upload a PHAR file. Upon upload, the script extracts a file named shell.php from the PHAR archive and writes it to the server's root directory, effectively deploying a webshell. The README provides setup instructions using Docker and shows how to use the webshell to execute a reverse shell command. The exploit targets PHP environments with insecure PHAR handling, enabling remote code execution via a webshell. The repository contains two files: a README with usage instructions and index.php with the exploit logic.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced only as part of repository names in attacker infrastructure/IoCs; no vulnerability details are provided in the content.
A suspected vulnerability (CVE-2023-3824) affecting older PHP deployments (notably PHP 8.1.2 in this account) that LockBitSupp claims may have enabled compromise of LockBit infrastructure during/around Operation Cronos.
A remote code execution flaw in PHP that law enforcement reportedly used to compromise LockBit servers during the takedown operation.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.