In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
                
            Metrics
Affected Vendors & Products
References
        History
                    Tue, 19 Aug 2025 16:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| CPEs | ||
| Vendors & Products | Php-fpm Php-fpm php-fpm | 
Wed, 16 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Thu, 24 Apr 2025 22:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| References |  | 
Wed, 16 Oct 2024 19:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Php-fpm Php-fpm php-fpm | |
| CPEs | cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:* | |
| Vendors & Products | Php-fpm Php-fpm php-fpm | 
Tue, 08 Oct 2024 14:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Php Php php | |
| CPEs | cpe:2.3:a:php:php:*:*:*:*:*:*:*:* | |
| Vendors & Products | Php Php php | |
| Metrics | ssvc 
 | 
Tue, 08 Oct 2024 04:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A flaw was found in PHP that bypasses the fix implemented in CVE-2024-4577 when using a non-standard configuration of Windows codepages, only obtainable through the registry by pointing the ACP codepage to an OEM codepage. The required configuration is unlikely to occur in a real environment. | In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | 
| Title | php: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass) | PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass) | 
| Weaknesses | CWE-78 | |
| References |  | |
| Metrics | cvssV3_1 
 | 
Tue, 08 Oct 2024 01:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A flaw was found in PHP that bypasses the fix implemented in CVE-2024-4577 when using a non-standard configuration of Windows codepages, only obtainable through the registry by pointing the ACP codepage to an OEM codepage. The required configuration is unlikely to occur in a real environment. | |
| Title | php: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass) | |
| References |  | |
| Metrics | threat_severity 
 | threat_severity 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: php
Published: 2024-10-08T03:48:53.628Z
Updated: 2025-04-24T21:12:33.554Z
Reserved: 2024-09-17T04:06:56.550Z
Link: CVE-2024-8926
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-10-08T12:56:09.856Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2024-10-08T04:15:10.637
Modified: 2025-08-19T16:26:02.750
Link: CVE-2024-8926
 Redhat
                        Redhat