Attackers could abuse an untrusted deserialization vulnerability in the web app developer tool Zend Framework and its successor Laminas Project to carry out a remote code execution (RCE) attack on PHP-based websites. Security researcher Ling Yizhou, who discovered the flaw, posted proof-of-concept attacks on GitHub.
- The vulnerability is located in the destructor of the Stream class, which is a PHP magic method.
- Matthew Weier O’Phinney, Zend product owner and principal engineer, disputed the researcher's findings, telling Threatpost that the web application developer has to write insecure code before the issue can be exploited.
- Zend has issued a fix for the problem.
- The Zend Framework has been installed more than 570 million times.