Versions
3.21.8
4.27.1
4.42.1
3.25.2
3.30.2
4.118.0
3.25.3
4.25.1
4.117.0
4.95.0
4.18.3
4.40.1
4.117.1
4.6.1
4.21.1
4.42.0
4.56.1
4.25.0
4.18.0
4.26.0
3.24.6
4.56.3
3.24.7
4.8.7
4.45.0
4.8.5
4.98.0
4.82.1
4.20.2
4.94.0
4.80.1
4.96.1
4.80.2
4.40.0
4.78.1
4.83.0
4.118.2
4.8.4
4.20.0
4.95.1
3.27.8
3.27.6
4.169.0
3.30.10
4.0.0
4.114.0
4.61.0
4.60.0
3.30.9
4.19.2
4.97.1
3.30.1
4.5.0
4.62.0
4.7.0
4.15.3
4.57.0
4.171.0
4.94.1
4.4.0
4.44.1
4.3.1
4.58.2
4.79.1
4.80.0
3.25.0
4.102.0
4.79.0
4.81.1
4.57.1
4.113.0
4.115.0
4.61.1
4.43.0
4.4.1
4.115.1
4.41.1
4.43.1
0
4.23.2
4.32.1
4.8.0
4.56.2
3.30.11
4.17.0
4.98.1
4.59.0
3.26.3
4.8.1
3.30.0
4.102.2
4.16.4
4.82.0
4.38.1
4.96.0
3.21.11
4.113.1
3.24.4
4.81.0
4.172.0
4.22.0
4.0.4
4.39.0
4.6.0
4.97.0
4.28.2
4.80.5
4.18.2
4.39.1
4.41.0
4.7.1
4.28.0
4.9.0
3.27.5
4.170.0
4.154.0
4.22.1
4.58.0
4.16.0
4.116.1
4.33.0
4.27.0
4.116.0
4.32.3
4.114.1
3.30.5
unspecified
4.83.1
4.59.1
4.26.1
4.23.0
4.17.3
3.26.0
4.19.1
3.30.12
4.24.1
4.21.0
3.21.10
3.30.6
4.5.1
4.8.6
4.44.0
4.45.1
4.24.0
4.20.3
3.22.0
4.60.1
4.93.2
4.19.0
4.62.1
Recent CVEs
CVE-2022-36937
HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3. Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.
CVE-2019-11935
Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
CVE-2019-11930
An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
CVE-2019-11926
Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1.
CVE-2018-6345
The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all supported versions of HHVM (3.30.1 and 3.27.5 and below).
CVE-2018-6340
The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. This affects all supported versions of HHVM (3.30 and 3.27.4 and below).
CVE-2018-6337
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.
CVE-2018-6334
Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).
CVE-2018-6335
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests.
CVE-2018-6332
A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. This affects all supported versions of HHVM (3.24.3 and 3.21.7 and below) when using the proxygen server to handle HTTP2 requests.