CVE-2023-0662 Overview
CVE-2023-0662 is a Resource Exhaustion vulnerability affecting PHP versions 8.0.X before 8.0.28, 8.1.X before 8.1.16, and 8.2.X before 8.2.3. The vulnerability allows attackers to cause a denial of service condition by sending HTTP form uploads with an excessive number of parts, leading to high resource consumption and excessive log entries. This can exhaust CPU resources or fill disk space on the affected server.
Critical Impact
Attackers can remotely trigger denial of service by exhausting server CPU resources or disk space through malformed HTTP form uploads, potentially causing complete service unavailability.
Affected Products
- PHP 8.0.X before 8.0.28
- PHP 8.1.X before 8.1.16
- PHP 8.2.X before 8.2.3
Discovery Timeline
- 2023-02-16 - CVE-2023-0662 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-0662
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The flaw exists in PHP's handling of multipart HTTP form uploads. When processing form data with an excessive number of parts, PHP fails to implement adequate limits on resource consumption, allowing attackers to craft malicious requests that consume disproportionate server resources.
The vulnerability can be exploited remotely without authentication. An attacker does not need any special privileges or user interaction to trigger the denial of service condition. The attack targets the availability of the system while leaving confidentiality and integrity unaffected.
Root Cause
The root cause lies in PHP's multipart form data parser, which does not adequately limit the number of form parts that can be processed in a single request. When an attacker submits a form with an extremely large number of parts, the server attempts to process each one, leading to excessive CPU utilization. Additionally, each malformed or excessive part may generate log entries, rapidly consuming disk space and potentially filling storage volumes.
Attack Vector
The attack is conducted over the network against PHP applications that accept HTTP form uploads. An attacker crafts HTTP POST requests with multipart/form-data content type containing an excessive number of form parts. These requests are sent to any PHP endpoint that processes form data.
The attack does not require authentication or user interaction. By sending multiple malicious requests concurrently, an attacker can amplify the impact and quickly exhaust server resources, rendering the application unavailable to legitimate users.
For technical details on the vulnerability mechanism, see the GitHub Security Advisory.
Detection Methods for CVE-2023-0662
Indicators of Compromise
- Unusual spikes in CPU utilization on web servers running vulnerable PHP versions
- Rapid growth in PHP error logs or web server access logs
- HTTP POST requests with abnormally high Content-Length values or excessive multipart boundaries
- Disk space exhaustion on partitions containing log files
Detection Strategies
- Monitor web server logs for HTTP POST requests with multipart/form-data content type that have unusually high part counts
- Implement network-level detection rules to identify requests with excessive multipart boundaries
- Configure alerting on rapid CPU utilization increases correlated with web traffic patterns
- Deploy web application firewall (WAF) rules to block requests exceeding normal form part thresholds
Monitoring Recommendations
- Enable detailed logging for HTTP form submissions and monitor for anomalies
- Set up disk space monitoring with alerts for rapid consumption on log partitions
- Configure PHP error log rotation to prevent disk exhaustion from excessive logging
- Implement rate limiting on endpoints that accept file uploads or form submissions
How to Mitigate CVE-2023-0662
Immediate Actions Required
- Upgrade PHP to version 8.0.28 or later for the 8.0.X branch
- Upgrade PHP to version 8.1.16 or later for the 8.1.X branch
- Upgrade PHP to version 8.2.3 or later for the 8.2.X branch
- Review and restrict access to form upload endpoints where possible
Patch Information
PHP has released patched versions addressing this vulnerability. Organizations should update to the following minimum versions:
- PHP 8.0.28 for the 8.0.X series
- PHP 8.1.16 for the 8.1.X series
- PHP 8.2.3 for the 8.2.X series
For additional information, refer to the GitHub Security Advisory and the NetApp Security Advisory.
Workarounds
- Implement web application firewall rules to limit the number of form parts per request
- Configure rate limiting at the reverse proxy or load balancer level for form submission endpoints
- Restrict access to file upload functionality to authenticated users only
- Implement request body size limits at the web server level to reduce attack surface
# Example nginx configuration to limit request body size
# Add to nginx.conf or server block
client_max_body_size 10m;
client_body_buffer_size 128k;
# Rate limiting for upload endpoints
limit_req_zone $binary_remote_addr zone=uploads:10m rate=5r/s;
location /upload {
limit_req zone=uploads burst=10 nodelay;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
