← Signals
- php
- deserialization
- soap
- exploitarium
news
PHP 8.5.7 StreamBucket SOAP Numeric Cookie RCE
StreamBucket type confusion chains to fake HashTable write and zend_execute_internal hook — marker PHP857_RCE validated locally.
Summary
StreamBucket type confusion chains to fake HashTable write and zend_execute_internal hook — marker PHP857_RCE validated locally. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | PHP 8.5.7 |
| Primitive | Internal property confusion → HashTable overwrite → zif_system |
| Impact | Remote/locale-dependent RCE in PHP process parsing attacker-controlled SOAP path. |
Attack Chain
rpoc.php StreamBucket trigger → overwrite_returned → marker file
Mitigation
Upgrade PHP when security release available; disable SOAP where unused.