Zend Framework is an open-source object-oriented web application development framework. Currently, the framework has been downloaded and installed 570 million times on PHP.
This week, security researchers discovered a deserialization security vulnerability (CVE-2021-3007) in the framework, which may also affect some instances of the Laminas Project, the successor of the Zend Framework framework.
“Zend Framework 3.0.0 has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php,” states MITRE’s advisory for CVE-2021-3007.
Researcher Ling Yizhou has disclosed the details of the vulnerability on Github, which targets Zend Framework version 3.0.0. In some cases, vulnerable PHP applications may be subject to remote code execution vulnerabilities.
It should be noted that untrusted deserialization problems must come from vulnerable applications, and Zend Framework itself does not have vulnerabilities, but the class chain provided by Zend can help attackers achieve remote code execution.