CVE-2016-5873 PHP CVE debrief

Who should care

Organizations that use the pecl_http PHP extension, especially internet-facing applications or services that accept and parse user-controlled URLs. Security teams responsible for PHP package inventories, Linux distro packages, and embedded application stacks should treat this as a high-priority upgrade item.

Technical summary

The vulnerability is a CWE-119 buffer overflow in pecl_http’s URL parsing logic. NVD rates it CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a remotely reachable issue with no privileges or user interaction required. The supplied description says the flaw can be triggered with non-printable characters in a URL, and the vendor references point to a fix released in pecl_http 3.0.1.

Defensive priority

Immediate. This is a remotely exploitable critical issue with full CIA impact in NVD scoring, so affected deployments should be upgraded or otherwise remediated as soon as possible.

Recommended defensive actions

• Upgrade pecl_http to 3.0.1 or later.
• Inventory servers and applications that include the pecl_http extension, including packaged and bundled deployments.
• Apply the vendor or distribution update path that delivers the fixed release, and verify the installed version after patching.
• If you cannot upgrade immediately, disable or remove the extension from exposed systems until remediation is complete.
• Validate that security scans and package management processes check for pecl_http specifically, not only the PHP runtime.

Evidence notes

The CVE description states that pecl_http before 3.0.1 contains a buffer overflow in HTTP URL parsing functions that may allow arbitrary code execution via non-printable characters in a URL. The NVD record assigns CVSS 3.0 9.8 and CWE-119, and lists pecl_http versions up to 3.0.1 in the vulnerable CPE criteria. The supplied references include upstream patch material and the pecl_http 3.0.1 release notes, which support 3.0.1 as the remediation release.

Official resources