CVE-2019-11043
CVE-2019-11043 is a high-severity vulnerability in Php with a CVSS 3.x base score of 8.7. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-787.
Key facts
- Severity: High (CVSS 3.x base score 8.7)
- CVSS v2: 7.5
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-25)
- EU (EUVD) id: EUVD-2019-2751
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-25)
- Weakness: CWE-787
- Affected product: Php
- Published:
- Last modified:
Description
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
CVE-2019-11043: PHP-FPM Out-of-Bounds Write Leading to Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2019-11043 |
| Published | 2019-10-28 |
| Severity (CVSS v3.1) | 8.7 (High) |
| EPSS | 0.9947 (99.47%) |
| KEV | Yes (2022-03-25) |
| CWE | CWE-787 (Out-of-bounds Write) |
| Assigner | [email protected] |
Summary
CVE-2019-11043 is an out-of-bounds write vulnerability in PHP-FPM under specific nginx configurations. When fastcgi_split_path_info is used and the regular expression fails to match, PHP-FPM can write past allocated buffers into FCGI protocol data space, enabling remote code execution.
Background
PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with additional features useful for high-load sites. In typical deployments, nginx communicates with PHP-FPM via the FastCGI protocol over a Unix socket or TCP port. The vulnerability was publicly disclosed in October 2019 and is widely known by the proof-of-concept name phuip-fpizdam.
Root Cause
The flaw is classified as CWE-787: Out-of-bounds Write. Under certain configurations where nginx's fastcgi_split_path_info directive is present, a malformed request can cause the FPM module to write environment variable data past the end of an allocated buffer. This corrupts adjacent FCGI protocol structures, eventually allowing an attacker to overwrite the fcgi_data_seg structure and achieve arbitrary memory writes.
Impact
The vulnerability is rated CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N with a base score of 8.7 (High). The CVSS v2 vector is AV:N/AC:L/Au:N/C:P/I:P/A:P scoring 7.5. Successful exploitation can lead to remote code execution on the target server. The attack requires network access but no authentication or user interaction; however, the attack complexity is rated High because the vulnerable configuration is specific.
Exploitation Walkthrough
This section describes the vulnerability mechanism from a defensive perspective. No weaponized exploit code is provided, and any testing should be performed only in authorized, isolated environments.
The vulnerability is triggered when the following conditions are met:
- nginx is configured with
fastcgi_split_path_info. - A request is sent where the regular expression in
fastcgi_split_path_infofails to match, causingPATH_INFOto be empty. - The FastCGI request parameters are constructed in a way that causes the FPM worker to under-allocate a buffer for environment variables.
Under these conditions, the FPM process writes beyond the allocated buffer, corrupting the FCGI data segment. An attacker can chain this behavior to overwrite pointers and inject code. Public research (e.g., the phuip-fpizdam project) demonstrated this technique, leading to widespread scanning and exploitation.
Affected and Patched Versions
Affected:
- PHP 7.1.x before 7.1.33
- PHP 7.2.x before 7.2.24
- PHP 7.3.x before 7.3.11
Patched:
- PHP 7.1.33
- PHP 7.2.24
- PHP 7.3.11
Numerous Linux distributions also released security advisories, including Red Hat (RHSA-2019:3286, RHSA-2019:3287), Debian (DSA-4552, DSA-4553), Ubuntu (USN-4166-1, USN-4166-2), and SUSE.
Remediation
- Upgrade PHP to the patched versions listed above. PHP 7.1 reached end-of-life in 2019, so upgrading to a supported branch (7.4+, 8.x) is strongly recommended.
- Review nginx configuration. If
fastcgi_split_path_infois not required, remove it. If it is required, ensure that fallback behavior does not pass emptyPATH_INFOto PHP-FPM. Usingtry_filesor explicitly checking for empty values can mitigate the vulnerable code path. - Apply vendor patches for operating system packages through your standard patch management cycle.
Detection
- Monitor web server access logs for unusual request patterns targeting PHP-FPM endpoints, especially requests containing newline characters or abnormally long URIs.
- Network intrusion detection systems (IDS) may have signatures for the anomalous FastCGI parameter sequences associated with this exploit.
- Endpoint detection should flag unexpected process spawning from the PHP-FPM worker pool.
- Verify PHP-FPM version via
php-fpm -vand cross-check against known vulnerable ranges.
Assessment
With an EPSS score of 0.9947 (99.47% probability of exploitation) and a percentile of 0.99939, this vulnerability is among the most likely to be exploited in the wild. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2022-03-25 and has been linked to ransomware activity. The original disclosure included a functional proof-of-concept, lowering the barrier for adversaries.
Key lessons:
- Boundary checks in IPC are critical. Even mature software like PHP-FPM can suffer from memory-safety issues when handling inter-process communication protocols.
- Configuration hardening matters. The vulnerability is exploitable only under a specific, albeit common, nginx configuration pattern, underscoring that secure defaults and configuration review are as important as patching.
References
Frequently asked questions
- What is CVE-2019-11043?
- In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
- How severe is CVE-2019-11043?
- CVE-2019-11043 has a CVSS 3.x base score of 8.7, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2019-11043 being actively exploited?
- Yes. CVE-2019-11043 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-11043?
- CVE-2019-11043 primarily affects Php. In total, 64 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-11043?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-11043 have an EU (EUVD) identifier?
- Yes. CVE-2019-11043 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-2751. It is also flagged as exploited in the EUVD (since 2022-03-25).
- When was CVE-2019-11043 published?
- CVE-2019-11043 was published on 2019-10-28 and last updated on 2026-06-17.
References
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html
- http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2020/Jan/40
- https://access.redhat.com/errata/RHSA-2019:3286
- https://access.redhat.com/errata/RHSA-2019:3287
- https://access.redhat.com/errata/RHSA-2019:3299
- https://access.redhat.com/errata/RHSA-2019:3300
- https://access.redhat.com/errata/RHSA-2019:3724
- https://access.redhat.com/errata/RHSA-2019:3735
- https://access.redhat.com/errata/RHSA-2019:3736
- https://access.redhat.com/errata/RHSA-2020:0322
- https://bugs.php.net/bug.php?id=78599
- https://github.com/neex/phuip-fpizdam
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/
- https://seclists.org/bugtraq/2020/Jan/44
- https://security.netapp.com/advisory/ntap-20191031-0003/
- https://support.apple.com/kb/HT210919
- https://support.f5.com/csp/article/K75408500?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4166-1/
- https://usn.ubuntu.com/4166-2/
- https://www.debian.org/security/2019/dsa-4552
- https://www.debian.org/security/2019/dsa-4553
- https://www.synology.com/security/advisory/Synology_SA_19_36
- https://www.tenable.com/security/tns-2021-14
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11043
Affected products (64)
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0_aarch64:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.1_aarch64:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.2_aarch64:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.4_aarch64:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.6_aarch64:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.8_aarch64:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.1_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.2_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.8_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0_ppc64:*:*:*:*:*:*:*
More vulnerabilities in Php
- CVE-2015-0235 — Critical (CVSS 10.0): Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18,…
- CVE-2012-2688 — Critical (CVSS 10.0): Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and…
- CVE-2012-2376 — Critical (CVSS 10.0): Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to…
- CVE-2011-3268 — Critical (CVSS 10.0): Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified…
- CVE-2009-4143 — Critical (CVSS 10.0): PHP before 5.2.12 does not properly handle session data, which has unspecified impact and attack vectors related to (1)…
- CVE-2008-5557 — Critical (CVSS 10.0): Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0…
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…
Browse all CWE-787 (Out-of-bounds Write) vulnerabilities →
Threat intelligence
Threat-intel indicators referencing this CVE:
- 103.165.139.145 (ipv4-addr)
- 221.182.185.190 (ipv4-addr)
- 61.143.227.17 (ipv4-addr)
- 220.178.39.106 (ipv4-addr)
- 218.29.231.106 (ipv4-addr)
- 210.245.20.230 (ipv4-addr)
- 171.100.121.127 (ipv4-addr)
- 121.22.99.2 (ipv4-addr)