Facebook Hhvm
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Facebook Hhvm.
By the Year
In 2025 there have been 0 vulnerabilities in Facebook Hhvm. Hhvm did not have any published security vulnerabilities last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 0 | 0.00 |
2023 | 1 | 9.80 |
2022 | 0 | 0.00 |
2021 | 11 | 8.60 |
2020 | 3 | 7.70 |
2019 | 10 | 9.57 |
2018 | 5 | 7.76 |
It may take a day or so for new Hhvm vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Facebook Hhvm Security Vulnerabilities
HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension
CVE-2022-36937
9.8 - Critical
- May 10, 2023
HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3. Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP
CVE-2019-3556
8.1 - High
- October 26, 2021
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where on the filesystem to write this data. The parameter is not validated, allowing a malicious user to overwrite arbitrary files where the user running HHVM has write access. This issue affects HHVM versions prior to 4.56.2, all versions between 4.57.0 and 4.78.0, as well as 4.79.0, 4.80.0, 4.81.0, 4.82.0, and 4.83.0.
Directory traversal
Passing an attacker controlled size when creating an IOBuf could cause integer overflow
CVE-2021-24036
9.8 - Critical
- July 23, 2021
Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution. This issue affects versions of folly prior to v2021.07.22.00. This issue affects HHVM versions prior to 4.80.5, all versions between 4.81.0 and 4.102.1, all versions between 4.103.0 and 4.113.0, and versions 4.114.0, 4.115.0, 4.116.0, 4.117.0, 4.118.0 and 4.118.1.
Integer Overflow or Wraparound
When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it
CVE-2020-1900
9.8 - Critical
- March 11, 2021
When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it. Otherwise the array might resize, invalidating previously stored references. This pre-reservation was not occurring in HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.
Dangling pointer
The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization
CVE-2020-1899
7.5 - High
- March 11, 2021
The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.
Buffer Overflow
The fb_unserialize function did not impose a depth limit for nested deserialization
CVE-2020-1898
7.5 - High
- March 11, 2021
The fb_unserialize function did not impose a depth limit for nested deserialization. That meant a maliciously constructed string could cause deserialization to recurse, leading to stack exhaustion. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.
Stack Exhaustion
An incorrect size calculation in ldap_escape may lead to an integer overflow when overly long input is passed in
CVE-2020-1916
9.8 - Critical
- March 10, 2021
An incorrect size calculation in ldap_escape may lead to an integer overflow when overly long input is passed in, resulting in an out-of-bounds write. This issue affects HHVM prior to 4.56.2, all versions between 4.57.0 and 4.78.0, 4.79.0, 4.80.0, 4.81.0, 4.82.0, 4.83.0.
Memory Corruption
Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function
CVE-2021-24025
9.8 - Critical
- March 10, 2021
Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.
Integer Overflow or Wraparound
In the crypt function, we attempt to null terminate a buffer using the size of the input salt without validating
CVE-2020-1921
7.5 - High
- March 10, 2021
In the crypt function, we attempt to null terminate a buffer using the size of the input salt without validating that the offset is within the buffer. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.
Memory Corruption
Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is longer than the first
CVE-2020-1919
7.5 - High
- March 10, 2021
Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is longer than the first. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.
Out-of-bounds Read
In-memory file operations (ie: using fopen on a data URI) did not properly restrict negative seeking
CVE-2020-1918
7.5 - High
- March 10, 2021
In-memory file operations (ie: using fopen on a data URI) did not properly restrict negative seeking, allowing for the reading of memory prior to the in-memory buffer. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.
Out-of-bounds Read
xbuf_format_converter
CVE-2020-1917
9.8 - Critical
- March 10, 2021
xbuf_format_converter, used as part of exif_read_data, was appending a terminating null character to the generated string, but was not using its standard append char function. As a result, if the buffer was full, it would result in an out-of-bounds write. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.
Memory Corruption
Insufficient boundary checks when decoding JSON in JSON_parser
CVE-2020-1892
8.1 - High
- March 03, 2020
Insufficient boundary checks when decoding JSON in JSON_parser allows read access to out of bounds memory, potentially leading to information leak and DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.
Out-of-bounds Read
Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS
CVE-2020-1888
7.5 - High
- March 03, 2020
Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.
Out-of-bounds Read
Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS
CVE-2020-1893
7.5 - High
- March 03, 2020
Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.
Out-of-bounds Read
Various APC functions accept keys containing null bytes as input, leading to premature truncation of input
CVE-2019-11936
9.8 - Critical
- December 04, 2019
Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory
CVE-2019-11935
9.8 - Critical
- December 04, 2019
Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
Classic Buffer Overflow
An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution
CVE-2019-11930
9.8 - Critical
- December 04, 2019
An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
Release of Invalid Pointer or Reference
Insufficient boundary checks when formatting numbers in number_format
CVE-2019-11929
9.8 - Critical
- October 02, 2019
Insufficient boundary checks when formatting numbers in number_format allows read/write access to out-of-bounds memory, potentially leading to remote code execution. This issue affects HHVM versions prior to 3.30.10, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.18.2, and versions 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.20.2, 4.21.0, 4.22.0, 4.23.0.
Buffer Overflow
Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could
CVE-2019-11926
9.8 - Critical
- September 06, 2019
Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1.
Out-of-bounds Read
Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could
CVE-2019-11925
9.8 - Critical
- September 06, 2019
Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1.
Out-of-bounds Read
HHVM, when used with FastCGI, would bind by default to all available interfaces
CVE-2019-3569
7.5 - High
- June 26, 2019
HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.
Exposure of Resource to Wrong Sphere
Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory
CVE-2019-3561
9.8 - Critical
- April 29, 2019
Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory. This affects all supported versions of HHVM (4.0.3, 3.30.4, and 3.27.7 and below).
Out-of-bounds Read
The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large
CVE-2018-6345
9.8 - Critical
- January 15, 2019
The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all supported versions of HHVM (3.30.1 and 3.27.5 and below).
Memory Corruption
The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently
CVE-2019-3557
9.8 - Critical
- January 15, 2019
The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. This behavior caused some stream functions, such as stream_get_line, to trigger an out-of-bounds read when operating on such malformed streams. The implementations were updated to return valid values consistently. This affects all supported versions of HHVM (3.30 and 3.27.4 and below).
Out-of-bounds Read
The Memcache::getextendedstats function can be used to trigger an out-of-bounds read
CVE-2018-6340
8.1 - High
- December 31, 2018
The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. This affects all supported versions of HHVM (3.30 and 3.27.4 and below).
Out-of-bounds Read
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called
CVE-2018-6337
7.5 - High
- December 31, 2018
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.
Buffer Overflow
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data
CVE-2018-6335
7.5 - High
- December 31, 2018
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests.
Improper Input Validation
Multipart-file uploads call variables to be improperly registered in the global scope
CVE-2018-6334
9.8 - Critical
- December 31, 2018
Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).
Improper Input Validation
A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings
CVE-2018-6332
5.9 - Medium
- December 03, 2018
A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. This affects all supported versions of HHVM (3.24.3 and 3.21.7 and below) when using the proxygen server to handle HTTP2 requests.
Data Processing Errors
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Facebook Hhvm or by Facebook? Click the Watch button to subscribe.