CVE-2014-125127
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-12-18
Assigner: Checkmarx
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flightphp | flight | to 1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the mikecao/flight PHP framework prior to version 1.2 is due to the framework eagerly loading the entire HTTP request body in the Request class constructor on every request, regardless of whether the application needs it. This means that when a request with a large payload is sent, the entire payload is loaded into memory immediately, causing excessive memory consumption. An attacker can exploit this by sending large requests to exhaust server memory, potentially causing application crashes or denial of service. The issue was fixed in version 1.2 by implementing lazy loading, so the request body is only read when explicitly needed. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a Denial of Service (DoS) on your application. By sending HTTP requests with large payloads, the attacker can force the application to consume excessive memory, potentially exhausting available server resources. This can lead to application crashes or unavailability of the service, disrupting normal operations and affecting users. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high memory usage or application crashes when handling HTTP POST or PUT requests with large payloads. Since the FlightPHP framework eagerly loads the entire request body, sending large HTTP requests and observing server resource consumption can help identify the issue. Commands to monitor memory usage include using system tools like 'top' or 'htop' on Linux to watch PHP process memory. Additionally, capturing HTTP traffic with tools like 'tcpdump' or 'Wireshark' to identify large POST or PUT requests may help. There are no specific commands provided in the resources for direct detection of this vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the FlightPHP framework to version 1.2 or later, where the vulnerability is fixed by implementing lazy loading of request bodies. If upgrading is not immediately possible, configuring the web server (e.g., nginx) to limit the maximum allowed request body size using directives like 'client_max_body_size', and adjusting PHP settings such as 'post_max_size' can help prevent large payloads from exhausting server memory. Additionally, modifying application code to explicitly handle request bodies only when needed, or implementing streaming of request bodies in smaller chunks, can reduce memory consumption and mitigate the risk of denial-of-service attacks. [1, 2]