CVE-2023-0567 Overview
CVE-2023-0567 affects the PHP password_verify() function across multiple branches of the language runtime. Versions 8.0.x before 8.0.28, 8.1.x before 8.1.16, and 8.2.x before 8.2.3 may accept some malformed Blowfish (bcrypt) hashes as valid. When a corrupted or invalid hash reaches the password database, the function can return true for arbitrary passwords against that entry. The flaw maps to CWE-916: Use of Password Hash With Insufficient Computational Effort. Local authenticated attackers, or any actor able to influence stored hashes, can leverage the weakness to bypass authentication for affected accounts.
Critical Impact
An invalid Blowfish hash in the password store causes password_verify() to accept any password as valid, enabling silent authentication bypass for affected accounts.
Affected Products
- PHP 8.0.x prior to 8.0.28
- PHP 8.1.x prior to 8.1.16
- PHP 8.2.x prior to 8.2.3
Discovery Timeline
- 2023-03-01 - CVE-2023-0567 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2023-0567
Vulnerability Analysis
The vulnerability resides in the PHP password_verify() function, which validates a plaintext password against a stored hash. PHP supports several algorithms, with bcrypt (Blowfish) as the historical default. The function delegates Blowfish comparison to the underlying crypt() routine. When the stored hash is malformed in specific ways, crypt() can return an empty or attacker-controllable output that the verification routine treats as a successful match.
The practical effect is silent authentication bypass. An application checking a user-supplied password against a corrupted hash entry receives a true result regardless of the password submitted. The vulnerability does not require network access and does not impact confidentiality or availability directly. It impacts integrity of authentication, which is the highest-value control in most web applications.
This class of flaw belongs to the broader category of weak password hashing and verification logic tracked under CWE-916.
Root Cause
The root cause is insufficient validation of the Blowfish hash format inside password_verify(). The function did not reject all malformed hash strings before delegating to crypt(). Certain malformed inputs caused crypt() to produce return values that the verification path compared as equal to attacker-supplied inputs, producing false positives. Details and the upstream fix are documented in the GitHub Security Advisory GHSA-7fj2-8x79-rjf4 and the PHP Bug Report #81744.
Attack Vector
Exploitation requires that an invalid Blowfish hash exists in the password database for a target account. This can occur through data corruption, faulty migration scripts, manual database edits, or upstream issues that truncate or alter hash strings. An attacker with write access to the password store, or one able to register or trigger creation of an account whose hash is stored incorrectly, can subsequently authenticate as that account using any password. The attack vector is local per the CVSS metrics, reflecting that the attacker must influence stored data rather than reach the function purely over the network.
No public proof-of-concept is referenced in the advisory, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the GitHub Security Advisory for technical details of the malformed hash patterns.
Detection Methods for CVE-2023-0567
Indicators of Compromise
- Entries in the user password table whose hash does not conform to the standard bcrypt format ($2y$<cost>$<22-char-salt><31-char-hash>).
- Successful authentication events for accounts whose stored hash is truncated, empty, or otherwise malformed.
- Unexpected login activity for service or legacy accounts that have not had recent password resets.
Detection Strategies
- Query the user database for password hashes that fail a strict regex match against the valid bcrypt format and flag any non-conforming rows.
- Run PHP version inventories across web servers and containers to identify hosts running PHP versions earlier than 8.0.28, 8.1.16, or 8.2.3.
- Correlate authentication success logs with the set of accounts whose hashes were created or modified before the patched runtime was deployed.
Monitoring Recommendations
- Alert on writes to password hash columns originating from sources other than the application's password reset flow.
- Forward web application authentication logs to a centralized analytics platform and baseline login patterns per account to surface anomalies.
- Track PHP runtime versions as part of software bill of materials and trigger alerts when unpatched versions are observed in production.
How to Mitigate CVE-2023-0567
Immediate Actions Required
- Upgrade PHP to 8.0.28, 8.1.16, 8.2.3, or later on all systems running the affected branches.
- Audit the user password table for malformed bcrypt hashes and force password resets on any accounts with non-conforming entries.
- Review database write paths and remove any non-application processes capable of modifying password hash columns.
Patch Information
The PHP project released fixes in versions 8.0.28, 8.1.16, and 8.2.3. The upstream fix and affected branches are documented in the GitHub Security Advisory GHSA-7fj2-8x79-rjf4 and the PHP Bug Report #81744. Downstream vendors have published their own guidance, including the NetApp Security Advisory NTAP-20230331-0008.
Workarounds
- Validate hash format at the application layer before calling password_verify(), rejecting any stored value that does not match the strict bcrypt regex.
- Re-hash passwords on next successful login using password_needs_rehash() to ensure all entries conform to the patched format.
- Restrict direct database access to the credentials table to the application service account only and audit any privileged access.
# Verify the installed PHP version on affected hosts
php -v
# Example regex check for valid bcrypt hash format
grep -E '^\$2[aby]\$[0-9]{2}\$[./A-Za-z0-9]{53}$' /path/to/hash_export.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
