CVE-2018-6345

Name of the Vulnerable Software and Affected Versions: HHVM versions 3.30.1 and 3.27.5 and below

Description: The issue arises from the function number format when its second argument ($dec points) is excessively large, leading to a heap overflow. This occurs because the internal implementation of number format creates a string with an invalid length, which can then interact poorly with other functions.

Recommendations: For HHVM versions 3.30.1 and 3.27.5 and below, consider restricting the use of the number format function with large $dec points values until a patch is available. As a temporary workaround, limit the value of $dec points to prevent excessively large inputs. At the moment, there is no information about a newer version that contains a fix for this vulnerability.