CVE-2026-24894: FrankenPHP's Zombie Sessions: When High Performance Leaks Secrets

#security #cve #cybersecurity

FrankenPHP's Zombie Sessions: When High Performance Leaks Secrets

Vulnerability ID: CVE-2026-24894
CVSS Score: 8.7
Published: 2026-02-12

FrankenPHP, the modern application server that brings Go-like performance to PHP, suffered from a critical session isolation flaw in its worker mode. By failing to correctly scrub the global symbol table between requests, the server allowed the $_SESSION superglobal to persist across different HTTP requests handled by the same worker thread. This effectively turned the server into a game of Russian Roulette where one user's private data could be served to the next user merely by luck of the draw.

TL;DR

In worker mode, FrankenPHP < 1.11.2 failed to clear $_SESSION between requests. If a script accessed session data before calling session_start(), it would read the previous user's session from memory. Fixed in 1.11.2.

⚠️ Exploit Status: POC

Technical Details

CVSS Score: 8.7 (High)
Attack Vector: Network
CWE ID: CWE-200 (Info Exposure) / CWE-668
Architecture: x86/ARM (Go/C)
Component: frankenphp_reset_super_globals
Exploit Status: PoC Available

Affected Systems

FrankenPHP < 1.11.2
FrankenPHP: < 1.11.2 (Fixed in: 1.11.2)

Code Analysis

Commit: 24d6c99

fix: reset $_SESSION superglobal

zend_hash_str_del(&EG(symbol_table), "_SESSION", sizeof("_SESSION") - 1);

Exploit Details

N/A: Internal research / PoC described in advisory

Mitigation Strategies

Update the Engine
Defensive Coding
Restart Strategy

Remediation Steps:

Update Immediately: Upgrade to FrankenPHP v1.11.2 or later. This is the only robust fix.
Code Hardening: If you cannot upgrade immediately, modify your PHP entry point (e.g., index.php) to explicitly unset $_SESSION at the very beginning of the script.
Verify Configuration: Ensure your MAX_REQUESTS per worker is set to a low number (or 1) temporarily, though this negates the performance benefits of worker mode.