Miggo Logo
Miggo Vulnerability Database
CVE-2021-23592

CVE-2021-23592: Deserialization of Untrusted Data in topthink/framework

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-23592
GHSA ID
GHSA-3fpv-54ff-wqfj
EPSS Score
0.75447%
CWE
CWE-502
Published
5/7/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
topthink/frameworkcomposer< 6.0.126.0.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Driver::unserialize method in the cache component. The pre-patch implementation accepted a string parameter and blindly passed it to unserialize(). While the commit diff shows a type hint removal (string -> mixed), the core issue is the lack of validation before deserialization. Attackers could manipulate cached data (an untrusted source) to include malicious payloads. The CVE description explicitly cites insecure unserialize in the Driver class, and the patch's commit message confirms the method was modified to address type-related security constraints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** topt*ink/*r*m*work ***or* v*rsion *.*.** is vuln*r**l* to **s*ri*liz*tion o* Untrust** **t* *u* to ins**ur* `uns*ri*liz*` m*t*o* in t** `*riv*r` *l*ss.

Reasoning

T** vuln*r**ility st*ms *rom t** `*riv*r::uns*ri*liz*` m*t*o* in t** ***** *ompon*nt. T** pr*-p*t** impl*m*nt*tion ****pt** * strin* p*r*m*t*r *n* *lin*ly p*ss** it to `uns*ri*liz*()`. W*il* t** *ommit *i** s*ows * typ* *int r*mov*l (strin* -> mix**)