CVE-2020-1899

Name of the Vulnerable Software and Affected Versions: HHVM versions prior to 4.32.3 HHVM versions 4.33.0 through 4.62.0

Description: The unserialize() function has a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects.

Recommendations: For HHVM versions prior to 4.32.3, update to version 4.32.3 or later. For HHVM versions 4.33.0 through 4.62.0, update to a version outside of this range, as these versions are affected by the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability for versions 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.