CVE-2019-11043

CVE-2019-11043 is a high-severity vulnerability in Php with a CVSS 3.x base score of 8.7. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-787.

Key facts

Description

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

CVE-2019-11043: PHP-FPM Out-of-Bounds Write Leading to Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2019-11043
Published 2019-10-28
Severity (CVSS v3.1) 8.7 (High)
EPSS 0.9947 (99.47%)
KEV Yes (2022-03-25)
CWE CWE-787 (Out-of-bounds Write)
Assigner [email protected]

Summary

CVE-2019-11043 is an out-of-bounds write vulnerability in PHP-FPM under specific nginx configurations. When fastcgi_split_path_info is used and the regular expression fails to match, PHP-FPM can write past allocated buffers into FCGI protocol data space, enabling remote code execution.

Background

PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with additional features useful for high-load sites. In typical deployments, nginx communicates with PHP-FPM via the FastCGI protocol over a Unix socket or TCP port. The vulnerability was publicly disclosed in October 2019 and is widely known by the proof-of-concept name phuip-fpizdam.

Root Cause

The flaw is classified as CWE-787: Out-of-bounds Write. Under certain configurations where nginx's fastcgi_split_path_info directive is present, a malformed request can cause the FPM module to write environment variable data past the end of an allocated buffer. This corrupts adjacent FCGI protocol structures, eventually allowing an attacker to overwrite the fcgi_data_seg structure and achieve arbitrary memory writes.

Impact

The vulnerability is rated CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N with a base score of 8.7 (High). The CVSS v2 vector is AV:N/AC:L/Au:N/C:P/I:P/A:P scoring 7.5. Successful exploitation can lead to remote code execution on the target server. The attack requires network access but no authentication or user interaction; however, the attack complexity is rated High because the vulnerable configuration is specific.

Exploitation Walkthrough

This section describes the vulnerability mechanism from a defensive perspective. No weaponized exploit code is provided, and any testing should be performed only in authorized, isolated environments.

The vulnerability is triggered when the following conditions are met:

  1. nginx is configured with fastcgi_split_path_info.
  2. A request is sent where the regular expression in fastcgi_split_path_info fails to match, causing PATH_INFO to be empty.
  3. The FastCGI request parameters are constructed in a way that causes the FPM worker to under-allocate a buffer for environment variables.

Under these conditions, the FPM process writes beyond the allocated buffer, corrupting the FCGI data segment. An attacker can chain this behavior to overwrite pointers and inject code. Public research (e.g., the phuip-fpizdam project) demonstrated this technique, leading to widespread scanning and exploitation.

Affected and Patched Versions

Affected:

  • PHP 7.1.x before 7.1.33
  • PHP 7.2.x before 7.2.24
  • PHP 7.3.x before 7.3.11

Patched:

  • PHP 7.1.33
  • PHP 7.2.24
  • PHP 7.3.11

Numerous Linux distributions also released security advisories, including Red Hat (RHSA-2019:3286, RHSA-2019:3287), Debian (DSA-4552, DSA-4553), Ubuntu (USN-4166-1, USN-4166-2), and SUSE.

Remediation

  1. Upgrade PHP to the patched versions listed above. PHP 7.1 reached end-of-life in 2019, so upgrading to a supported branch (7.4+, 8.x) is strongly recommended.
  2. Review nginx configuration. If fastcgi_split_path_info is not required, remove it. If it is required, ensure that fallback behavior does not pass empty PATH_INFO to PHP-FPM. Using try_files or explicitly checking for empty values can mitigate the vulnerable code path.
  3. Apply vendor patches for operating system packages through your standard patch management cycle.

Detection

  • Monitor web server access logs for unusual request patterns targeting PHP-FPM endpoints, especially requests containing newline characters or abnormally long URIs.
  • Network intrusion detection systems (IDS) may have signatures for the anomalous FastCGI parameter sequences associated with this exploit.
  • Endpoint detection should flag unexpected process spawning from the PHP-FPM worker pool.
  • Verify PHP-FPM version via php-fpm -v and cross-check against known vulnerable ranges.

Assessment

With an EPSS score of 0.9947 (99.47% probability of exploitation) and a percentile of 0.99939, this vulnerability is among the most likely to be exploited in the wild. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2022-03-25 and has been linked to ransomware activity. The original disclosure included a functional proof-of-concept, lowering the barrier for adversaries.

Key lessons:

  1. Boundary checks in IPC are critical. Even mature software like PHP-FPM can suffer from memory-safety issues when handling inter-process communication protocols.
  2. Configuration hardening matters. The vulnerability is exploitable only under a specific, albeit common, nginx configuration pattern, underscoring that secure defaults and configuration review are as important as patching.

References

Frequently asked questions

What is CVE-2019-11043?
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
How severe is CVE-2019-11043?
CVE-2019-11043 has a CVSS 3.x base score of 8.7, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2019-11043 being actively exploited?
Yes. CVE-2019-11043 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-11043?
CVE-2019-11043 primarily affects Php. In total, 64 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-11043?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-11043 have an EU (EUVD) identifier?
Yes. CVE-2019-11043 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-2751. It is also flagged as exploited in the EUVD (since 2022-03-25).
When was CVE-2019-11043 published?
CVE-2019-11043 was published on 2019-10-28 and last updated on 2026-06-17.

References

Affected products (64)

More vulnerabilities in Php

All CVEs affecting Php →

Other CWE-787 (Out-of-bounds Write) vulnerabilities

Browse all CWE-787 (Out-of-bounds Write) vulnerabilities →

Threat intelligence

Threat-intel indicators referencing this CVE: