FrankenPHP Session Leakage Vulnerability in Worker Mode

A session leakage vulnerability has been identified in FrankenPHP, a modern application server for PHP, in versions prior to 1.11.2. When running in worker mode, the $_SESSION superglobal is not properly reset between requests. This allows a request processed by the same worker to access $_SESSION data from a previous request, potentially belonging to a different user, before session_start() is called. The vulnerability arises because $_SESSION is stored in the Zend Engine's symbol table, and the standard PHP request shutdown does not remove the variable from the symbol table, leading to data leakage between requests.

Impact

Exploitation of this vulnerability causes cross-request data leakage, allowing sensitive information from one user's session to be accessed in another user's session.

Reproduction

To reproduce this vulnerability, send a request from Client A that starts a session and sets a value in the $_SESSION array. Then, send a second request from Client B (or the same client without cookies) to the same worker. This request should check the $_SESSION data without calling session_start(). The response will include the leaked data from Client A's session, demonstrating the session leak between requests.

Remediation

Users are advised to upgrade to FrankenPHP version 1.11.2, which addresses this vulnerability by ensuring that the $_SESSION variable is properly reset between requests in worker mode.