CVE-2019-11043

Underflow in PHP-FPM can lead to RCE

Basic Information

CVE State: PUBLISHED
Reserved Date: April 09, 2019
Published Date: October 28, 2019
Last Updated: February 07, 2025
Vendor: PHP
Product: PHP
Description: In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

CVSS Scores

CVSS v3.1

8.7 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2022-03-25 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2019-11-17 05:16:02 UTC) Source
Used in Malware: Yes (added 2022-03-25 00:00:00 UTC) Source

References

https://github.com/neex/phuip-fpizdam https://bugs.php.net/bug.php?id=78599 https://usn.ubuntu.com/4166-1/ https://www.debian.org/security/2019/dsa-4552 https://www.debian.org/security/2019/dsa-4553 https://usn.ubuntu.com/4166-2/ https://support.f5.com/csp/article/K75408500?utm_source=f5support&amp%3Butm_medium=RSS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/ https://security.netapp.com/advisory/ntap-20191031-0003/ https://access.redhat.com/errata/RHSA-2019:3286 https://access.redhat.com/errata/RHSA-2019:3287 https://access.redhat.com/errata/RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3300 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/ http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html https://access.redhat.com/errata/RHSA-2019:3724 https://access.redhat.com/errata/RHSA-2019:3735 https://access.redhat.com/errata/RHSA-2019:3736 https://www.synology.com/security/advisory/Synology_SA_19_36 http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html https://support.apple.com/kb/HT210919 https://seclists.org/bugtraq/2020/Jan/44 http://seclists.org/fulldisclosure/2020/Jan/40 https://access.redhat.com/errata/RHSA-2020:0322 http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html https://www.tenable.com/security/tns-2021-14

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-03-25 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/php_fpm_rce.rb	2025-04-29 11:01:23 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

php_fpm_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2019-11043

jas9reet/CVE-2019-11043

Type: github • Created: 2022-03-04 16:25:16 UTC • Stars: 0

CVE-2019-11043 LAB

lindemer/CVE-2019-11043

Type: github • Created: 2020-11-18 07:25:37 UTC • Stars: 4

PHP-FPM Remote Command Execution Exploit

corifeo/CVE-2019-11043

Type: github • Created: 2020-07-13 16:32:15 UTC • Stars: 0

quick and dirty PHP RCE proof of concept

kriskhub/CVE-2019-11043

Type: github • Created: 2020-05-05 09:43:44 UTC • Stars: 12

This repository provides a dockerized infrastructure and a python implementation of the CVE-2019-11043 exploit.

moniik/CVE-2019-11043_env

Type: github • Created: 2019-11-17 05:16:02 UTC • Stars: 1

remote debug environment for CLion

k8gege/CVE-2019-11043

Type: github • Created: 2019-11-11 11:29:54 UTC • Stars: 16

Ladon POC Moudle CVE-2019-11043 (PHP-FPM + Ngnix)

0th3rs-Security-Team/CVE-2019-11043

Type: github • Created: 2019-11-06 15:44:47 UTC • Stars: 13

CVE-2019-11043 PHP7.x RCE

MRdoulestar/CVE-2019-11043

Type: github • Created: 2019-11-06 14:53:13 UTC • Stars: 3

CVE-2019-11043 && PHP7.x && RCE EXP

ypereirareis/docker-CVE-2019-11043

Type: github • Created: 2019-10-30 10:22:41 UTC • Stars: 7

Docker image and commands to check CVE-2019-11043 vulnerability on nginx/php-fpm applications.

huowen/CVE-2019-11043

Type: github • Created: 2019-10-29 11:16:12 UTC • Stars: 5

Python exp for CVE-2019-11043

theMiddleBlue/CVE-2019-11043

Type: github • Created: 2019-10-28 11:09:06 UTC • Stars: 145

(PoC) Python version of CVE-2019-11043 exploit by neex

akamajoris/CVE-2019-11043-Docker

Type: github • Created: 2019-10-24 12:32:02 UTC • Stars: 27

fairyming/CVE-2019-11043

Type: github • Created: 2019-10-24 09:12:38 UTC • Stars: 1

ianxtianxt/CVE-2019-11043

Type: github • Created: 2019-10-24 09:09:01 UTC • Stars: 0

AleWong/PHP-FPM-Remote-Code-Execution-Vulnerability-CVE-2019-11043-

Type: github • Created: 2019-10-24 05:28:41 UTC • Stars: 4

PHP-FPM Remote Code Execution Vulnerability (CVE-2019-11043) POC in Python

jas502n/CVE-2019-11043

Type: github • Created: 2019-10-23 23:26:57 UTC • Stars: 104

php-fpm+Nginx RCE

tinker-li/CVE-2019-11043

Type: github • Created: 2019-10-23 13:34:28 UTC • Stars: 0

B1gd0g/CVE-2019-11043

Type: github • Created: 2019-10-23 13:32:14 UTC • Stars: 0

CVE-2019-11043