CVE-2016-6175 PHP Gettext Project CVE debrief

Who should care

Teams running php-gettext 1.0.12 or earlier, and maintainers of applications that bundle or vendor that library. Web application owners should treat this as urgent because successful exploitation can fully compromise the PHP process and the host application.

Technical summary

The vulnerable component is php-gettext, with NVD listing affected versions up to and including 1.0.12. The weakness is classified as CWE-94 (code injection) and is described as an eval injection issue triggered by a crafted plural forms header. Based on the supplied NVD data, the impact is remote, requires no privileges or user interaction, and can result in full confidentiality, integrity, and availability compromise.

Defensive priority

Critical priority. The combination of network exposure, no authentication, no user interaction, and remote code execution warrants immediate remediation.

Recommended defensive actions

• Inventory all applications, libraries, and containers that include php-gettext.
• Upgrade php-gettext to a version newer than 1.0.12 as soon as possible.
• If immediate upgrading is not possible, isolate affected systems and reduce exposure of any code paths that process untrusted translation files or headers.
• Rebuild and redeploy any packaged applications that vendor the vulnerable library so the fix is actually present in production.
• Verify remediation by checking the deployed php-gettext version and confirming the affected code path is no longer present.

Evidence notes

Supplied NVD data identifies php-gettext_project versions through 1.0.12 as vulnerable, assigns CVSS 3.0 9.8, and maps the issue to CWE-94. The description states that a crafted plural forms header can lead to arbitrary PHP code execution. NVD also lists related references to a Launchpad bug, a GitHub commit, a blog advisory, and an Exploit-DB entry.

Official resources