CVE-2022-31628 Overview
CVE-2022-31628 is a Denial of Service vulnerability affecting PHP's phar uncompressor functionality. In PHP versions before 7.4.31, 8.0.24, and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop. This vulnerability allows a local attacker with low privileges to cause resource exhaustion and denial of service on affected systems by providing a specially crafted gzip archive.
Critical Impact
Local attackers can exploit this infinite loop vulnerability to cause complete denial of service on PHP applications that process untrusted phar archives, leading to CPU exhaustion and system unavailability.
Affected Products
- PHP versions before 7.4.31
- PHP versions 8.0.x before 8.0.24
- PHP versions 8.1.x before 8.1.11
- Fedora 35, 36, and 37
- Debian Linux 10.0 and 11.0
Discovery Timeline
- 2022-09-28 - CVE-2022-31628 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-31628
Vulnerability Analysis
This vulnerability resides in PHP's phar (PHP Archive) extension, specifically within the gzip decompression functionality. The root issue involves improper handling of self-referential or "quine" gzip files—archives that decompress into themselves or create recursive decompression cycles. When the phar uncompressor encounters such a file, it enters an uncontrolled recursive decompression loop, consuming CPU resources indefinitely until the process is terminated or the system becomes unresponsive.
The vulnerability is classified under CWE-674 (Uncontrolled Recursion) and CWE-835 (Infinite Loop), accurately describing the technical nature of the flaw. Exploitation requires local access and low privileges, meaning an attacker must be able to supply a malicious phar archive to a PHP application that processes such files.
Root Cause
The root cause stems from insufficient validation of gzip archive contents before and during the decompression process. The phar uncompressor failed to implement proper recursion depth limits or cycle detection when processing nested compressed content. When a gzip "quine" file—a file that decompresses to produce itself—is encountered, the decompression logic continuously attempts to decompress the same content without recognizing the recursive pattern, resulting in an infinite loop.
Attack Vector
The attack vector is local, requiring the attacker to provide a malicious gzip-compressed phar archive to a vulnerable PHP application. Attack scenarios include:
- Uploading a crafted phar archive through a file upload functionality
- Supplying malicious input to applications that process user-provided archives
- Exploiting any PHP script that uses phar stream wrappers on untrusted data
The vulnerability allows an attacker to craft a specially formatted gzip file that acts as a quine—when decompressed, it produces output that triggers another decompression cycle. This recursive behavior continues indefinitely, consuming CPU resources and effectively causing denial of service.
For technical details on the vulnerability mechanism, refer to the PHP Bug Report #81726.
Detection Methods for CVE-2022-31628
Indicators of Compromise
- Abnormally high CPU utilization by PHP processes, particularly php-fpm or Apache worker processes
- PHP processes running for extended periods without completing when processing archive files
- System logs showing unresponsive PHP workers or process timeouts
- Memory consumption growth in PHP processes handling phar archives
Detection Strategies
- Monitor PHP process CPU usage for anomalies, especially sustained 100% utilization on single cores
- Implement application-level logging for phar archive processing operations
- Set up alerts for PHP process execution timeouts when handling file uploads or archive operations
- Review web server logs for requests involving phar archive processing that result in timeouts
Monitoring Recommendations
- Configure process monitoring to alert on PHP processes exceeding normal CPU thresholds for extended periods
- Implement resource limits (max_execution_time, memory_limit) in PHP configuration to contain runaway processes
- Enable detailed logging for file processing operations that involve phar or gzip functionality
- Deploy SentinelOne Singularity platform to detect and respond to anomalous process behavior indicative of DoS attacks
How to Mitigate CVE-2022-31628
Immediate Actions Required
- Upgrade PHP to version 7.4.31, 8.0.24, 8.1.11, or later immediately
- Review and restrict file upload functionality that processes phar archives
- Implement strict input validation for any application accepting archive files
- Configure PHP resource limits to contain potential infinite loop scenarios
Patch Information
The PHP development team addressed this vulnerability in the following versions:
- PHP 7.4.31 and later
- PHP 8.0.24 and later
- PHP 8.1.11 and later
Organizations should prioritize upgrading to patched versions. Additional vendor advisories are available:
- Debian Security Advisory DSA-5277
- Debian LTS Announcement
- Gentoo GLSA 202211-03
- NetApp Security Advisory
Workarounds
- Disable phar processing if not required by setting phar.readonly = 1 in php.ini
- Implement strict file type validation before processing any uploaded archives
- Configure web application firewalls to inspect and filter suspicious archive uploads
- Use process isolation and resource limits to contain potential DoS impact
# PHP configuration hardening for phar handling
# Add to php.ini or php-fpm pool configuration
# Disable phar write operations (recommended if not needed)
phar.readonly = 1
# Set execution time limits to contain infinite loops
max_execution_time = 30
# Limit memory to prevent resource exhaustion
memory_limit = 128M
# Disable URL-based phar access
phar.require_hash = 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
