CVE-2026-48979
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
The PHP Standard Library (PSL) has a vulnerability in versions 6.1.0, 6.1.1, and 6.2.0 related to the lack of validation of the total bytes received in DATA frames against the content-length header in HEADERS frames, allowing request smuggling. A malicious client can send more or fewer DATA bytes than declared, leading to incorrect application behavior.
Risk Assessment
Organizations using Psl\H2\ServerConnection to accept untrusted client traffic are at risk of smuggling attacks, which could lead to unauthorized data access or incorrect application behavior.
Recommendation
It is recommended to upgrade to versions 6.1.2 or 6.2.1 to mitigate this vulnerability. Additionally, consider restricting the use of Psl\H2\ServerConnection to trusted sources.
Original NVD description (English source)
PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 §8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level size limits and send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly. The vulnerability is only reachable for consumers using Psl\H2\ServerConnection directly to accept untrusted client traffic. Consumers of documented high-level PSL APIs are not affected. This issue has been fixed in versions 6.1.2 and 6.2.1.

