N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-f6p5-76fp-m248

EPSS Score

CWE

Published

4/28/2022

Updated

1/7/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-f6p5-76fp-m248

GHSA-f6p5-76fp-m248: URL Rewrite vulnerability in multiple zendframework components

zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.

When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-f6p5-76fp-m248

EPSS Score

CWE

Published

4/28/2022

Updated

1/7/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zendframework/zend-diactoros	composer	< 1.8.4	1.8.4
zendframework/zend-feed	composer	< 2.10.3	2.10.3
zendframework/zend-http	composer	< 2.8.1	2.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability pattern across all components involves URI determination logic that trusted specific HTTP headers (X-Rewrite-Url, X-Original-Url) without verifying the server environment actually uses those rewrite mechanisms. The primary vulnerable functions are those responsible for marshaling request URIs in each component:

In zend-diactoros: ServerRequestFactory's URI creation method trusted rewrite headers
In zend-http: PhpEnvironment\Request's URI detection used vulnerable headers
In zend-feed: PubSubHubbub's Subscriber used headers to verify callback URLs

These functions would appear in runtime profiles when processing malicious requests containing spoofed rewrite headers, as they directly handle header-based URI resolution before the security patches added server environment validation checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

z*n*-*i**toros (*n*, *y *xt*nsion, *xpr*ssiv*), z*n*-*ttp (*n*, *y *xt*nsion, Z*n* *r*m*work MV* proj**ts), *n* z*n*-**** (sp**i*i**lly, its Pu*Su**u**u* su*-*ompon*nt) **** *ont*in * pot*nti*l URL r*writ* *xploit. In **** **s*, m*rs**lin* * r*qu*st

Reasoning

T** vuln*r**ility p*tt*rn **ross *ll *ompon*nts involv*s URI **t*rmin*tion lo*i* t**t trust** sp**i*i* *TTP *****rs (X-R*writ*-Url, X-Ori*in*l-Url) wit*out v*ri*yin* t** s*rv*r *nvironm*nt **tu*lly us*s t*os* r*writ* m****nisms. T** prim*ry vuln*r**l

N/A

Basic Information

Concerned about an active attack path?

GHSA-f6p5-76fp-m248: URL Rewrite vulnerability in multiple zendframework components

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI