CVE-2020-1898

Name of the Vulnerable Software and Affected Versions: HHVM versions prior to 4.32.3 HHVM versions 4.33.0 through 4.62.0

Description: The fb unserialize function did not impose a depth limit for nested deserialization, allowing a maliciously constructed string to cause deserialization to recurse and lead to stack exhaustion.

Recommendations: For HHVM versions prior to 4.32.3, update to version 4.32.3 or later. For HHVM versions 4.33.0 through 4.62.0, update to a version outside of this range, as these versions are affected. As a temporary workaround, consider restricting the use of the fb unserialize function to minimize the risk of exploitation.