CVE-2026-24895

Name of the Vulnerable Software and Affected Versions FrankenPHP versions prior to 1.11.2

Description FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters, the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT NAME and SCRIPT FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. The vulnerability resides in the splitPos() function and its usage within splitCgiPath(). The issue is that the returned index represents a byte offset within the lowercased path, but this index is used to slice the original path. This logic relies on the assumption that the length of the lowercased path is equal to the length of the original path, which is false for certain Unicode characters. For example, the character Ⱥ (U+023A) requires 2 bytes in UTF-8, but its lowercase equivalent ⱥ (U+2C65) requires 3 bytes. If the path contains such characters before the .php extension, the index calculated on the lowercased path will be larger than the corresponding position in the original path. When applied to the original path, the split occurs at the wrong byte offset. This can cause the server to treat a larger portion of the path as the script name, effectively allowing an attacker to manipulate SCRIPT FILENAME. This is a security boundary bypass and path confusion issue that can lead to Remote Code Execution (RCE) in setups where users can upload files to a reachable path. The vulnerability can be exploited by crafting a request with specific Unicode characters to force FrankenPHP to calculate the SCRIPT FILENAME as ending in a file with a safe extension (e.g., payload.txt), while the request appears to contain .php to the internal router logic. The vulnerable function is splitPos(), which is used by splitCgiPath(). The vulnerable parameters are the path and split variables used within these functions.

Recommendations Versions prior to 1.11.2 should be updated to version 1.11.2 or later.