PHP SoapServer Session-Persisted Object Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the PHP SoapServer component, specifically in versions 8.2.* prior to 8.2.31, 8.3.* prior to 8.3.31, 8.4.* prior to 8.4.21, and 8.5.* prior to 8.5.6. When SoapServer is set to persist objects across requests using session storage, an error in SOAP request handling can lead to improper management of the persisted object. This mismanagement frees the object while retaining a pointer to it, creating a use-after-free condition. Such a flaw may result in memory corruption, information disclosure, or process crashes, impacting the overall stability and security of the system.

Impact

Exploitation of this vulnerability can cause memory corruption, unauthorized information disclosure, or crashes of the PHP process, leading to a denial of service.

Reproduction

To reproduce this vulnerability, create a SoapServer instance and set its persistence to SOAP_PERSISTENCE_SESSION. Handle a SOAP request that triggers an error, such as returning a SoapFault. This will cause the server to improperly manage the session-persisted object, freeing it while still holding a pointer, which can be exploited to access freed memory.

Remediation

Users can upgrade to PHP versions 8.2.31, 8.3.31, 8.4.21, or 8.5.6 to address this vulnerability.