Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-4v5g-8pq2-32m2

By-passing Protection of PharStreamWrapper Interceptor

Published
Jun 5, 2024
Updated
Dec 2, 2024
Affected
2 pkgs
Patched
2 / 2
Exploits
None indexed

Blast Radius

2 pkgs affected
🐘typo3/phar-stream-wrapper🐘typo3/phar-stream-wrapper

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details read the corresponding TYPO3 advisory.

In addition, a new interceptor was introduced to protect possible (but unknown) vulnerabilities in 3rd party components like TYPO3 extensions. Basically, the PharStreamWrapper intercepts direct invocations of Phar archives and allows or denies further processing based on individual rules.

Recently, the PharStreamWrapper was extracted from the TYPO3 core and released as standalone package under the MIT license. It is now available for any PHP driven project.

The stream wrapper overwrites the existing Phar handling of PHP, applies its own assertions and then restores the native PHP Phar handling for the corresponding commands (e.g. file_exists, include, fopen) to continue processing. After that, the native PHP Phar handling gets disabled and is overwritten by the logic of the PharStreamWrapper again. This is the only way to control invocations of Phar archives as PHP only allows a single handler for each corresponding stream.

We were informed that exception and error handlers in custom applications (e.g. TYPO3 extensions) sometimes didn't return to the original operating sequence of the PharStreamWrapper. A possible consequence was that the unprotected native PHP Phar handling remained active and therefore became vulnerable for the basic issue of insecure deserialization again.

Examples Take a look at the following examples showing how the handling is by-passed in custom application code.

Scenario A: Exception thrown from code organized in a Phar archive

try {
    include('phar://path-to-archive/good-archive.phar');
} catch (\Throwable $throwable) {
    // not doing much here, continue execution
}
// the insecure value can be anything that is or was user-submitted
// and cannot be trusted in terms of security, $_GET is just used as example
$insecureValue = $_GET['path'];
// the value might be 'phar://path-to-archive/malicious-archive.phar'
file_exists($insecureValue);

Scenario B: Errors converted to exceptions and thrown when interacting with archive contents

// set error handler in order to convert errors to exceptions
set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) {
   throw new ErrorException($errstr, 0, $errno, $errfile, $errline);
});
// interacting with Phar archive
try {
   $resource = opendir('phar://path-to-archive/good-archive.phar/non-existing-path/');
   closedir($resource);
} catch (\Throwable $throwable) {
   // not doing much here, continue execution
}
// the insecure value can be anything that is or was user-submitted
// and cannot be trusted in terms of security, $_GET is just used as example
$insecureValue = $_GET['path'];
// the value might be 'phar://path-to-archive/malicious-archive.phar'
file_exists($insecureValue);

Affected Packages

2 total 2 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagisttypo3/phar-stream-wrapper1.0.0&&< 2.0.12.0.1
🐘Packagisttypo3/phar-stream-wrapper3.0.0&&< 3.0.13.0.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for typo3/phar-stream-wrapper. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update typo3/phar-stream-wrapper to 2.0.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4v5g-8pq2-32m2 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-4v5g-8pq2-32m2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-4v5g-8pq2-32m2. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details read the corresponding TYPO3 advisory. In addition, a new interceptor was introduced to protect possible (but unknown) vulnerabilities in 3rd party components like TYPO3 extensions. Basically, the PharStreamWrapper intercepts direct invocations of Phar archives and allows or denies further processing
O3 Security · Impact-Aware SCA

Is GHSA-4v5g-8pq2-32m2 in your dependencies?

O3 detects GHSA-4v5g-8pq2-32m2 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works