nikic/php-parser is vulnerable to Code Injection
59
Medium Risk
The ConstExprEvaluator component evaluates constant expressions extracted from parsed PHP code into PHP values. When an expression contains the pipe operator (|>), the evaluator resolves the right-hand operand and invokes it as a callable with the left-hand value, so an expression such as "id" |> "shell_exec" executes the named function. Applications that run the evaluator over untrusted or attacker-influenced PHP source can be induced to call arbitrary functions during constant-expression evaluation. The fix removes direct handling of the pipe operator and routes it to the fallback evaluator, which does not invoke callables.
You are affected if you are using a version that falls within the vulnerable range and evaluate untrusted or user-supplied PHP expressions with the constant expression evaluator.
nikic/php-parser is vulnerable to Code Injection in versions 5.6.0 - 5.7.0.
Upgrade the nikic/php-parser library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant