Xavierleune

**Name of the Vulnerable Software and Affected Versions** FrankenPHP versions prior to 1.11.2 **Description** FrankenPHP, when running in worker mode, does not correctly reset the `$ SESSION` superglobal between requests. This allows a subsequent request processed by the same worker to access the `$ SESSION` data of the previous request, potentially belonging to a different user, before `session start()` is called. The issue arises because `$ SESSION` is stored in the Zend Engine's symbol table and is not explicitly deleted by FrankenPHP's reset logic. This results in a cross-request data leakage, potentially exposing sensitive information like authentication tokens, user IDs, and PII. The vulnerability affects applications that read `$ SESSION` before calling `session start()`. A proof of concept demonstrates that a request from Client A setting session data can be accessed by Client B without a new session being initiated. **Recommendations** Versions prior to 1.11.2 should be updated to version 1.11.2 or later. As a temporary workaround, ensure `session start()` is called immediately at the entry point of your worker script. Alternatively, manually unset `$ SESSION` at the very beginning of the worker loop, before handling the request.