CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-8927: cgi.force_redirect configuration is bypassable due to the environment variable collision

7.5 CVSS

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

Classification

CVE ID: CVE-2024-8927

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor: PHP Group

Product: PHP

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 8.49% (scored less or equal to compared to others)

EPSS Date: 2025-04-16 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8927
https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp

Timeline

2025-03-18 17:40:20 UTC
CVE

cgi.force_redirect configuration is bypassable due to the environment variable collision