GHSA-6xch-2vxx-5pvr
eZ Platform Rules to disable executable access are ignored on Platform.sh (eZ Cloud)
Blast Radius
ezsystems/ezplatform🐘ezsystems/ezplatform🐘ezsystems/ezplatformReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
The recommended Apache/Nginx virtual host configuration for eZ Platform includes a rewrite rule for blocking access to executable files in the var directory. This rule does not work when using eZ Platform Cloud (i.e. running eZ Platform on the Platform.sh cloud service).
The consequence of this is that in such a setup, those executable files may be downloadable. They will not be executable, unless you have specifically configured platform.sh to allow that (which you really should not do). The severity of the download access is limited, but it's better if the platform.sh cloud setup works the same way as regular eZ Platform does. All platform.sh setups are affected.
The fix adds a rule to the .platform.app.yaml configuration file, with the same effect as the rewrite rule already mentioned. After applying the fix, any attempt to access such files will fail with Access Denied. This security update is distributed via Composer as ezsystems/ezplatform 1.7.9.1, and 1.13.5.1, and 2.5.4. This is the commit: https://github.com/ezsystems/ezplatform/commit/773dddc0d8fe4fda34d2153a401eeaa6cc30b1ff
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | ezsystems/ezplatform | ≥ 2.5.0&&< 2.5.4 | 2.5.4 |
| 🐘Packagist | ezsystems/ezplatform | ≥ 1.13.0&&< 1.13.5.1 | 1.13.5.1 |
| 🐘Packagist | ezsystems/ezplatform | ≥ 1.7.0&&< 1.7.9.1 | 1.7.9.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ezsystems/ezplatform. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update ezsystems/ezplatform to 2.5.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-6xch-2vxx-5pvr is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-6xch-2vxx-5pvr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-6xch-2vxx-5pvr. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-6xch-2vxx-5pvr in your dependencies?
O3 detects GHSA-6xch-2vxx-5pvr across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.