Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.
AnalysisAI
Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.
Technical ContextAI
MixPHP Framework's sync-invoke component implements a TCP server for inter-process communication using PHP object serialization. The vulnerability exists at Server.php line 87, where the server accepts TCP connections on localhost (127.0.0.1) and deserializes incoming data using Opis\Closure\unserialize(), a library that extends PHP's native unserialization to support closures and anonymous functions. The deserialized closure is then immediately executed via call_user_func() without any validation. This represents a classic unsafe deserialization vulnerability (typically CWE-502), where untrusted data controls object instantiation and code execution. PHP deserialization attacks are well-understood and frequently leverage magic methods (__wakeup, __destruct, __toString) or in this case, direct closure execution to achieve remote code execution. The localhost binding provides some network-level protection but does not prevent exploitation by local users, compromised applications on the same host, or SSRF vectors.
RemediationAI
No vendor-released patch identified at time of analysis for MixPHP 2.2.17 or newer 2.x versions. The framework repository at https://github.com/mix-php/mix should be monitored for security advisories and patched releases addressing this deserialization flaw. Immediate compensating controls include: Disable the sync-invoke TCP server component entirely if not operationally required for inter-process communication (assess impact on application functionality first). Implement network-level access controls using firewall rules or iptables to restrict connections to the sync-invoke port only from explicitly trusted local processes or users, though this requires precise process-to-port mapping and may break legitimate IPC. Deploy application-level authentication by modifying Server.php to validate HMAC signatures or pre-shared tokens on incoming messages before deserialization (requires code changes and coordination with client components). Containerize MixPHP applications with strict network policies that prevent localhost port access from untrusted containers or host processes (note: shared network namespaces defeat this control). Monitor for migration paths to MixPHP 3.x or alternative frameworks, as the 2.x branch may be approaching end-of-life. Each mitigation has trade-offs: disabling sync-invoke may break functionality, authentication requires code maintenance, and network isolation adds operational complexity. Review the proof-of-concept at https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975 to understand the exact attack mechanism and validate effectiveness of mitigations in your environment.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26670