-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from how the __sleep() method in the Stub class handled property serialization. The original implementation used get_class_vars() which doesn't distinguish between uninitialized typed properties and null values. The patch introduced the NoDefault marker and ReflectionClass checks to properly track initialization states. This indicates the __sleep() method was the entry point for unsafe serialization behavior that could be exploited through crafted payloads. The high confidence comes from the direct correlation between the patched code in Stub.php and the CWE-94 (Code Injection) classification in the advisory.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| symfony/var-dumper | composer | < 6.4.4 | 6.4.4 |
| symfony/var-dumper | composer | >= 7.0.0, < 7.0.4 | 7.0.4 |
PHPPHPOngoing coverage of React2Shell