CVE-2021-21707
CVE-2021-21707 is a medium-severity vulnerability in Php with a CVSS 3.x base score of 5.3. Its EPSS exploit-prediction score of 26% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-159.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 5.0
- EPSS exploit prediction: 26% (98th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-159
- Affected product: Php
- Published:
- Last modified:
Description
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
Frequently asked questions
- What is CVE-2021-21707?
- In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
- How severe is CVE-2021-21707?
- CVE-2021-21707 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2021-21707 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 26% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-21707?
- CVE-2021-21707 primarily affects Php. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-21707?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-21707 published?
- CVE-2021-21707 was published on 2021-11-29 and last updated on 2026-06-17.
References
- https://bugs.php.net/bug.php?id=79971
- https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html
- https://security.netapp.com/advisory/ntap-20211223-0005/
- https://www.debian.org/security/2022/dsa-5082
- https://www.tenable.com/security/tns-2022-09
Affected products (5)
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*
More vulnerabilities in Php
- CVE-2015-0235 — Critical (CVSS 10.0): Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18,…
- CVE-2012-2688 — Critical (CVSS 10.0): Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and…
- CVE-2012-2376 — Critical (CVSS 10.0): Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to…
- CVE-2011-3268 — Critical (CVSS 10.0): Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified…
- CVE-2009-4143 — Critical (CVSS 10.0): PHP before 5.2.12 does not properly handle session data, which has unspecified impact and attack vectors related to (1)…
- CVE-2008-5557 — Critical (CVSS 10.0): Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0…
Other CWE-159 vulnerabilities
- CVE-2019-9505 — Critical (CVSS 9.8): The PrinterLogic Print Management software, versions up to and including 18.3.1.96, does not sanitize special…
- CVE-2020-1648 — High (CVSS 7.5): On Juniper Networks Junos OS and Junos OS Evolved devices, processing a specific BGP packet can lead to a routing…
- CVE-2020-1646 — High (CVSS 7.5): On Juniper Networks Junos OS and Junos OS Evolved devices, processing a specific UPDATE for an EBGP peer can lead to a…
- CVE-2026-35536 — High (CVSS 7.2): In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to…
- CVE-2026-2636 — Medium (CVSS 5.5): This vulnerability is caused by a CWE‑159: "Improper Handling of Invalid Use of Special Elements" weakness, which…
- CVE-2021-42375 — Medium (CVSS 5.5): An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted…
Browse all CWE-159 vulnerabilities →
Threat intelligence
Threat-intel indicators referencing this CVE:
- 45.232.73.84 (ipv4-addr)
- 223.197.186.7 (ipv4-addr)
- 218.51.148.194 (ipv4-addr)
- 20.157.117.15 (ipv4-addr)
- 34.83.189.112 (ipv4-addr)
- 36.67.165.162 (ipv4-addr)
- 220.178.39.106 (ipv4-addr)
- 103.174.34.49 (ipv4-addr)