PHP DOMNode Circular Linked List Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in PHP versions 8.4.* prior to 8.4.21 and 8.5.* prior to 8.5.6. The issue arises in the DOMNode::C14N() method, where improper handling of XML data can create a circular linked list in the data structure representing the XML document. This corruption can cause applications processing the XML to enter an infinite loop, leading to resource exhaustion or segmentation faults.

Impact

Exploitation of this vulnerability can cause a segmentation fault, disrupting the application's execution. Alternatively, it can lead to resource starvation, both temporal and spatial, causing the application to consume excessive resources and potentially degrade performance or availability.

Reproduction

The vulnerability can be reproduced by creating a DOM document with an SVG element that includes a 'xmlns' attribute. When the DOMNode::C14N() method is called on this document, it improperly removes the 'xmlns' attribute, leading to a circular linked list. This can be verified by accessing the document's child nodes and iterating over the attributes, which will result in an infinite loop. The issue can also be observed by allowing the document to be cleaned up, which will cause a segmentation fault.

Remediation

Users can upgrade to PHP versions 8.4.21 or 8.5.6, where this vulnerability has been patched.