7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-jq87-2wxp-8349

GHSA-jq87-2wxp-8349: ZendFramework Route Parameter Injection Via Query String in `Zend\Mvc`

In Zend Framework 2, Zend\Mvc\Router\Http\Query is used primarily to allow appending query strings to URLs when assembled. However, due to the fact that it captures any query parameters into the RouteMatch, and the fact that RouteMatch parameters are merged with any parent routes, this can lead to overriding already captured routing parameters, bypassing constraints defined in the parents.

As an example, consider the following route definition:

array(
    'user' => array(
        'type' => 'segment',
        'options' => array(
            'route' => '/user/:key',
            'defaults' => array(
                'controller' => 'UserController',
                'action'     => 'show-action',
            ),
            'constraints' => array(
                'key' => '[a-z0-9]+',
            ),
        ),
        'child_routes' => array(
            'query' => array('type' => 'query'),
        ),
    ),
)

If the request URI was /user/foo/?controller=SecretController&key=invalid_value, the RouteMatch returned after routing would contain the following:

array(
    'controller' => 'SecretController',
    'action'     => 'show-action',
    'key'        => 'invalid_value',
)

This would lead to execution of a different controller than intended, with a value for the key parameter that bypassed the constraints outlined in the parent route.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-jq87-2wxp-8349

GHSA-jq87-2wxp-8349:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zendframework/zendframework	composer	>= 2.0.0, < 2.0.8	2.0.8
zendframework/zendframework	composer	>= 2.1.0, < 2.1.4	2.1.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how Query route's match() method processed query parameters. Before patching, it: 1. Retrieved query parameters via $request->getQuery()->toArray() 2. Merged them with route defaults using array_merge() 3. Stored them in RouteMatch. This allowed query parameters to override previously matched parameters from parent routes (like controller/key) without respecting their constraints. The commit 0a7ec34 specifically removed this merging behavior, confirming this function was the vulnerable component. The security advisory explicitly mentions this method's parameter merging as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-jq87-2wxp-8349: ZendFramework Route Parameter Injection Via Query String in `Zend\Mvc`

GHSA-jq87-2wxp-8349:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-jq87-2wxp-8349: ZendFramework Route Parameter Injection Via Query String in `Zend\Mvc`

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI