CVE-2014-125127
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-12-18

Assigner: Checkmarx

Description
The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-09-03
EPSS Evaluated
2026-06-15
NVD
CVE-2014-125127
EUVD
EUVD-2014-9818
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flightphp flight to 1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the mikecao/flight PHP framework prior to version 1.2 is due to the framework eagerly loading the entire HTTP request body in the Request class constructor on every request, regardless of whether the application needs it. This means that when a request with a large payload is sent, the entire payload is loaded into memory immediately, causing excessive memory consumption. An attacker can exploit this by sending large requests to exhaust server memory, potentially causing application crashes or denial of service. The issue was fixed in version 1.2 by implementing lazy loading, so the request body is only read when explicitly needed. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a Denial of Service (DoS) on your application. By sending HTTP requests with large payloads, the attacker can force the application to consume excessive memory, potentially exhausting available server resources. This can lead to application crashes or unavailability of the service, disrupting normal operations and affecting users. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for unusually high memory usage or application crashes when handling HTTP POST or PUT requests with large payloads. Since the FlightPHP framework eagerly loads the entire request body, sending large HTTP requests and observing server resource consumption can help identify the issue. Commands to monitor memory usage include using system tools like 'top' or 'htop' on Linux to watch PHP process memory. Additionally, capturing HTTP traffic with tools like 'tcpdump' or 'Wireshark' to identify large POST or PUT requests may help. There are no specific commands provided in the resources for direct detection of this vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading the FlightPHP framework to version 1.2 or later, where the vulnerability is fixed by implementing lazy loading of request bodies. If upgrading is not immediately possible, configuring the web server (e.g., nginx) to limit the maximum allowed request body size using directives like 'client_max_body_size', and adjusting PHP settings such as 'post_max_size' can help prevent large payloads from exhausting server memory. Additionally, modifying application code to explicitly handle request bodies only when needed, or implementing streaming of request bodies in smaller chunks, can reduce memory consumption and mitigate the risk of denial-of-service attacks. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2014-125127. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart