Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object.
AnalysisAI
Remote code execution in MixPHP Framework 2.x through 2.2.17 allows unauthenticated network attackers to execute arbitrary code via unsafe deserialization. The FileHandler class processes session and cache data using PHP's unserialize() on filesystem-sourced content without validation, enabling object injection attacks. CVSS 9.8 critical severity with network attack vector and no privileges required. SSVC assessment confirms automatable exploitation with total technical impact. No active exploitation confirmed at time of analysis (not in CISA KEV), but publicly available proof-of-concept exists (GitHub gist reference).
Technical ContextAI
PHP's unserialize() function is a notorious attack surface because it can instantiate arbitrary objects from serialized data, triggering magic methods (__wakeup, __destruct, __toString) that execute attacker-controlled code if the application includes exploitable classes (gadget chains). MixPHP Framework 2.x implements session and cache persistence through a FileHandler class that reads serialized data from the filesystem and passes it directly to unserialize() without integrity checks or signature validation. This is a textbook CWE-502 (Deserialization of Untrusted Data) vulnerability. The affected component is identifiable in the GitHub repository at src/sync-invoke/src/Server.php in version 2.2.17. The CPE string is generic (cpe:2.3:a:n/a:n/a), indicating incomplete vendor metadata in NVD, but the GitHub references confirm the mix-php/mix repository as the authoritative source. All MixPHP Framework 2.x versions through 2.2.17 contain vulnerable FileHandler deserialization code.
RemediationAI
Upgrade to MixPHP Framework version 3.x or later if available, as the 2.x branch appears unmaintained based on the vulnerability scope (no patch version beyond 2.2.17 referenced). Consult the official MixPHP GitHub repository (https://github.com/mix-php/mix) for migration guidance or security patches. If immediate upgrade is not feasible, implement these compensating controls: (1) Replace file-based session/cache handlers with alternative backends that do not use unserialize() (Redis, Memcached with igbinary serialization, or database-backed sessions with parameterized queries). This eliminates the vulnerable code path but requires application reconfiguration and may impact session persistence across deployments. (2) Restrict filesystem permissions on session/cache directories to prevent attacker write access (chmod 700, chown to web server user only). This mitigates exploitation if attackers need to plant malicious serialized files, but does not protect against race conditions or user-uploaded content processed as cache. (3) Deploy PHP in environments without exploitable gadget chains by auditing and removing unnecessary libraries, though this is impractical for most real-world applications. (4) Implement Web Application Firewall (WAF) rules to detect PHP object injection patterns in HTTP requests, though this is easily bypassed with encoding. No vendor advisory link available; monitor https://github.com/mix-php/mix/security/advisories for official guidance.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26674