CVE-2024-5585

Name of the Vulnerable Software and Affected Versions: PHP versions 8.1.* before 8.1.29 PHP versions 8.2.* before 8.2.20 PHP versions 8.3.* before 8.3.8

Description: The issue arises from insufficient escaping when using the proc open() function with array syntax, allowing a malicious user to supply arguments that execute arbitrary commands in the Windows shell. This is due to the lack of measures to neutralize special elements used in the command. The estimated number of potentially affected devices worldwide is around 25,304,775, mainly distributed in the United States, China, and other countries.

Recommendations: For PHP versions 8.1.* before 8.1.29, update to version 8.1.29 or later to resolve the issue. For PHP versions 8.2.* before 8.2.20, update to version 8.2.20 or later to resolve the issue. For PHP versions 8.3.* before 8.3.8, update to version 8.3.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the proc open() function until a patch is available. Avoid using the proc open() function with untrusted input to minimize the risk of exploitation.