Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
Package
Affected versions
>= 5.0.0-RC1, < 5.5.2
>= 4.0.0-RC1, < 4.13.2
>= 3.0.0, < 3.9.14
Patched versions
5.5.2
4.13.2
3.9.14
Description
Published to the GitHub Advisory Database
Dec 18, 2024
Reviewed
Dec 18, 2024
Published by the National Vulnerability Database
Dec 18, 2024
Last updated
Dec 19, 2024
Impact
You are affected if your php.ini configuration has
register_argc_argv
enabled.Patches
Update to 3.9.14, 4.13.2, or 5.5.2.
Workarounds
If you can't upgrade yet, and
register_argc_argv
is enabled, you can disable it to mitigate the issue.References