Eric Stern

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.1.* through 8.1.27 PHP versions 8.2.* through 8.2.17 PHP versions 8.3.* through 8.3.4 **Description** The issue is related to the password verification process in PHP. If a password stored with `password hash()` starts with a null byte (`x00`), testing a blank string as the password via `password verify()` will incorrectly return true. This flaw can allow a remote attacker to bypass the authentication process and gain unauthorized access to a web application. **Recommendations** For PHP versions 8.1.* through 8.1.27, update to version 8.1.28 or later. For PHP versions 8.2.* through 8.2.17, update to version 8.2.18 or later. For PHP versions 8.3.* through 8.3.4, update to version 8.3.5 or later. As a temporary workaround, consider restricting the use of `password verify()` function until a patch is available. Avoid using passwords that start with a null byte (`x00`) in the affected PHP versions.