CVE-2016-1000109

Name of the Vulnerable Software and Affected Versions: HHVM versions prior to 3.9.6 HHVM versions 3.10.0 through 3.12.4 HHVM versions 3.13.0 through 3.14.2

Description: The issue allows remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, due to the presence of untrusted client data in the HTTP PROXY environment variable. This is related to not addressing RFC 3875 section 4.1.18 namespace conflicts.

Recommendations: For versions prior to 3.9.6, update to version 3.9.6 or later. For versions 3.10.0 through 3.12.4, update to a version outside of this range. For versions 3.13.0 through 3.14.2, update to a version outside of this range. As a temporary workaround, consider restricting access to the HTTP PROXY environment variable to minimize the risk of exploitation.