Flight PHP CVE-2026-42551
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin.
Affected code
flight/net/Request.php (≈ lines 281-292):
public static function getMethod(): string
{
$method = self::getVar('REQUEST_METHOD', 'GET');
if (self::getVar('HTTP_X_HTTP_METHOD_OVERRIDE') !== '') {
$method = self::getVar('HTTP_X_HTTP_METHOD_OVERRIDE');
} elseif (isset($_REQUEST['_method']) === true) {
$method = $_REQUEST['_method'];
}
return strtoupper($method);
}$_REQUEST aggregates $_GET and $_POST; on PHP runtimes with request_order=GPC it also includes $_COOKIE.
Proof of concept
GET /item/42?_method=DELETE HTTP/1.1is dispatched as DELETE /item/42.
GET /item/42 HTTP/1.1
X-HTTP-Method-Override: DELETEis also dispatched as DELETE /item/42.
Trivial CSRF vector (no JavaScript required):
<img src="https://victim.tld/item/42?_method=DELETE">loaded on any attacker-controlled page triggers the destructive DELETE on page load, bypassing Same-Origin Policy (image loads are not blocked).
Reproduced against /poc4/item/42.
Impact
- GET → DELETE / PUT CSRF on any route registered for unsafe verbs.
- Bypass of authentication, CSRF token, or rate-limiting middleware that is gated only on POST/DELETE.
- CDN cache poisoning: the CDN caches the GET response body while the origin executed a DELETE.
Patch (fixed in 3.18.1, commit b8dd23a)
A new flight.allow_method_override setting controls both override vectors. Operators can set it to false to disable X-HTTP-Method-Override and _method entirely.
Credit
Discovered by @Rootingg.
AnalysisAI
Flight PHP micro-framework (< 3.18.1) silently converts GET requests into DELETE or PUT operations via unvalidated X-HTTP-Method-Override headers or _method query parameters, enabling trivial CSRF attacks against destructive endpoints. Attackers can trigger resource deletion using simple HTML image tags without JavaScript or user interaction. The vulnerability bypasses middleware filters that gate only POST/DELETE verbs, and creates CDN cache poisoning scenarios where cached GET responses reflect executed DELETE operations. Patch available in version 3.18.1 introducing opt-in method override control (flight.allow_method_override setting). No active exploitation confirmed at time of analysis; publicly available exploit code exists in GitHub advisory.
Technical ContextAI
Flight PHP is a lightweight PHP micro-framework providing routing and HTTP request handling. The vulnerable code in Request::getMethod() (flight/net/Request.php lines 281-292) unconditionally processes HTTP method override mechanisms intended for REST API compatibility when browsers only support GET/POST. The implementation reads from PHP's $_REQUEST superglobal (aggregating $_GET, $_POST, and potentially $_COOKIE depending on request_order configuration) and the X-HTTP-Method-Override header without validation. This enables HTTP verb tampering attacks that violate RFC 9110 semantics by allowing safe methods (GET, HEAD) to be reinterpreted as unsafe methods (DELETE, PUT, PATCH) at the application layer. The root cause maps to CWE-436 (Interpretation Conflict) where the framework's method resolution logic conflicts with intended HTTP semantics and browser security model. The vulnerability affects all Flight PHP applications using versions prior to 3.18.1 (CPE pkg:composer/flightphp_core) that register routes for unsafe HTTP verbs, particularly REST-style resource endpoints.
RemediationAI
Upgrade to Flight PHP version 3.18.1 or later (released March 2025, confirmed by vendor at https://github.com/flightphp/core/releases/tag/v3.18.1 and commit b8dd23aaa828cb289fa3c84e75b2a3717cab50b0). For Composer-managed installations, run composer require flightphp/core:^3.18.1 and verify with composer show flightphp/core. Note that version 3.18.1 introduces the flight.allow_method_override configuration setting defaulting to true for backward compatibility - operators must explicitly set $app->set('flight.allow_method_override', false); during initialization to disable method override functionality if not required by legitimate API clients. For deployments unable to upgrade immediately, implement these compensating controls with noted trade-offs: (1) Add explicit method validation in route handlers or early middleware to reject requests where actual HTTP verb (from $_SERVER['REQUEST_METHOD']) differs from framework-resolved method, though this requires code changes in every protected endpoint. (2) Configure web server (Apache/nginx) rules to reject requests containing X-HTTP-Method-Override headers or _method parameters, though this breaks legitimate REST clients relying on method override for PATCH/PUT support. (3) Implement strict CSRF token validation in all DELETE/PUT/PATCH endpoint handlers independent of HTTP verb, though this only mitigates CSRF vectors and does not prevent middleware bypass or cache poisoning. (4) Review and refactor middleware authentication/rate-limiting to key on session/token state rather than HTTP verb assumptions, requiring potentially extensive code audit. Confirm patch application by testing that GET requests with ?_method=DELETE or X-HTTP-Method-Override: DELETE headers are dispatched as GET (when flight.allow_method_override is false) or testing that legitimate override requests still function (when true).
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-436 – Interpretation Conflict
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vxrr-w42w-w76g