Vulnerability in Facebook Hhvm

CVE-2020-1898

The fb_unserialize function did not impose a depth limit for nested deserialization. That meant a maliciously constructed string could cause deserialization to recurse, leading to stack exhaustion. This issue affected HHVM prior to v4.32.3…

EPSS: 0.008 (75.0th percentile) — read the EPSS interpretation.

Affected products

Facebook Hhvm — versions 4.62.1, 4.62.0, 4.61.1

Weakness classification (CWE)

CWE-674 — Uncontrolled Recursion

References

hhvm.com/blog/2020/06/30/security-update.html (x_refsource_CONFIRM)
github.com/facebook/hhvm/commit/1746dfb11fc0048366f34669e74318b8278a684c (x_refsource_MISC)