password_verify can erroneously return true

Publication Date2024-04-12
SeverityModerate
TypePrivilege Escalation
Affected PHP Versions
  • 5.5.0 - 7.1.33
  • 7.2.0 - 7.2.34
  • 7.3.0 - 7.3.33
  • 7.4.0 - 7.4.33
  • 8.0.0 - 8.0.30
  • 8.1.0 - 8.1.27
  • 8.2.0 - 8.2.17
  • 8.3.0 - 8.3.5
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendServer 2019.1.6
  • ZendServer 2021.3.4

CVE Details

If a password stored with password_hash() starts with a null byte (\x00), passing a blank string to password_verify() will incorrectly return true.

Recommendations

While this vulnerability is syntactically possible, it's a highly unlikely scenarioMost users will not likely use null bytes when creating passwords, and the majority of frameworks and applications do some validation on character sets and length to ensure strong passwords. If at all possible, disallow leading null bytes in passwords through good input filtering practices.

If you use password_hash() and password_verify(), and cannot validate that passwords were filtered for null bytes before being hashed and stored in your system, update to a patched version of PHP immediately.