Hhvm Facebook Hhvm

Do you want an email whenever new security vulnerabilities are reported in Facebook Hhvm?

By the Year

In 2021 there have been 9 vulnerabilities in Facebook Hhvm with an average score of 8.5 out of ten. Last year Hhvm had 3 security vulnerabilities published. That is, 6 more vulnerabilities have already been reported in 2021 as compared to last year. However, the average CVE base score of the vulnerabilities in 2021 is greater by 0.82.

Year Vulnerabilities Average Score
2021 9 8.52
2020 3 7.70
2019 10 9.57
2018 5 7.76

It may take a day or so for new Hhvm vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Facebook Hhvm Security Vulnerabilities

When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it

CVE-2020-1900 9.8 - Critical - March 11, 2021

When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it. Otherwise the array might resize, invalidating previously stored references. This pre-reservation was not occurring in HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.

Dangling pointer

The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization

CVE-2020-1899 7.5 - High - March 11, 2021

The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.

Buffer Overflow

The fb_unserialize function did not impose a depth limit for nested deserialization

CVE-2020-1898 7.5 - High - March 11, 2021

The fb_unserialize function did not impose a depth limit for nested deserialization. That meant a maliciously constructed string could cause deserialization to recurse, leading to stack exhaustion. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.

Stack Exhaustion

Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function

CVE-2021-24025 9.8 - Critical - March 10, 2021

Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.

Integer Overflow or Wraparound

In the crypt function, we attempt to null terminate a buffer using the size of the input salt without validating

CVE-2020-1921 7.5 - High - March 10, 2021

In the crypt function, we attempt to null terminate a buffer using the size of the input salt without validating that the offset is within the buffer. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.

Memory Corruption

Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is longer than the first

CVE-2020-1919 7.5 - High - March 10, 2021

Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is longer than the first. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.

Out-of-bounds Read

In-memory file operations (ie: using fopen on a data URI) did not properly restrict negative seeking

CVE-2020-1918 7.5 - High - March 10, 2021

In-memory file operations (ie: using fopen on a data URI) did not properly restrict negative seeking, allowing for the reading of memory prior to the in-memory buffer. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.

Out-of-bounds Read

xbuf_format_converter

CVE-2020-1917 9.8 - Critical - March 10, 2021

xbuf_format_converter, used as part of exif_read_data, was appending a terminating null character to the generated string, but was not using its standard append char function. As a result, if the buffer was full, it would result in an out-of-bounds write. This issue affects HHVM versions prior to 4.56.3, all versions between 4.57.0 and 4.80.1, all versions between 4.81.0 and 4.93.1, and versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0.

Memory Corruption

An incorrect size calculation in ldap_escape may lead to an integer overflow when overly long input is passed in

CVE-2020-1916 9.8 - Critical - March 10, 2021

An incorrect size calculation in ldap_escape may lead to an integer overflow when overly long input is passed in, resulting in an out-of-bounds write. This issue affects HHVM prior to 4.56.2, all versions between 4.57.0 and 4.78.0, 4.79.0, 4.80.0, 4.81.0, 4.82.0, 4.83.0.

Memory Corruption

Insufficient boundary checks when decoding JSON in JSON_parser

CVE-2020-1892 8.1 - High - March 03, 2020

Insufficient boundary checks when decoding JSON in JSON_parser allows read access to out of bounds memory, potentially leading to information leak and DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.

Out-of-bounds Read

Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS

CVE-2020-1893 7.5 - High - March 03, 2020

Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.

Out-of-bounds Read

Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS

CVE-2020-1888 7.5 - High - March 03, 2020

Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7.

Out-of-bounds Read

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input

CVE-2019-11936 9.8 - Critical - December 04, 2019

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Buffer Overflow

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution

CVE-2019-11930 9.8 - Critical - December 04, 2019

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Improper Input Validation

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory

CVE-2019-11935 9.8 - Critical - December 04, 2019

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Classic Buffer Overflow

Insufficient boundary checks when formatting numbers in number_format

CVE-2019-11929 9.8 - Critical - October 02, 2019

Insufficient boundary checks when formatting numbers in number_format allows read/write access to out-of-bounds memory, potentially leading to remote code execution. This issue affects HHVM versions prior to 3.30.10, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.18.2, and versions 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.20.2, 4.21.0, 4.22.0, 4.23.0.

Buffer Overflow

Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could

CVE-2019-11925 9.8 - Critical - September 06, 2019

Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1.

Out-of-bounds Read

Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could

CVE-2019-11926 9.8 - Critical - September 06, 2019

Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1.

Out-of-bounds Read

HHVM, when used with FastCGI, would bind by default to all available interfaces

CVE-2019-3569 7.5 - High - June 26, 2019

HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.

Information Disclosure

Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory

CVE-2019-3561 9.8 - Critical - April 29, 2019

Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory. This affects all supported versions of HHVM (4.0.3, 3.30.4, and 3.27.7 and below).

Out-of-bounds Read

The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently

CVE-2019-3557 9.8 - Critical - January 15, 2019

The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. This behavior caused some stream functions, such as stream_get_line, to trigger an out-of-bounds read when operating on such malformed streams. The implementations were updated to return valid values consistently. This affects all supported versions of HHVM (3.30 and 3.27.4 and below).

Out-of-bounds Read

The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large

CVE-2018-6345 9.8 - Critical - January 15, 2019

The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all supported versions of HHVM (3.30.1 and 3.27.5 and below).

Memory Corruption

The Memcache::getextendedstats function can be used to trigger an out-of-bounds read

CVE-2018-6340 8.1 - High - December 31, 2018

The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. This affects all supported versions of HHVM (3.30 and 3.27.4 and below).

Out-of-bounds Read

folly::secureRandom will re-use a buffer between parent and child processes when fork() is called

CVE-2018-6337 7.5 - High - December 31, 2018

folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.

Buffer Overflow

A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data

CVE-2018-6335 7.5 - High - December 31, 2018

A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests.

Improper Input Validation

Multipart-file uploads call variables to be improperly registered in the global scope

CVE-2018-6334 9.8 - Critical - December 31, 2018

Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).

Improper Input Validation

A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings

CVE-2018-6332 5.9 - Medium - December 03, 2018

A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. This affects all supported versions of HHVM (3.24.3 and 3.21.7 and below) when using the proxygen server to handle HTTP2 requests.

Data Processing Errors

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Facebook Hhvm or by Facebook? Click the Watch button to subscribe.

subscribe