DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24895: FrankenPHP Path Confusion: When 'Ⱥ' Becomes 'ⱥ' and Your Server Explodes

#security #cve #cybersecurity

FrankenPHP Path Confusion: When 'Ⱥ' Becomes 'ⱥ' and Your Server Explodes

Vulnerability ID: CVE-2026-24895
CVSS Score: 8.9
Published: 2026-02-12

A critical path confusion vulnerability in FrankenPHP's CGI handler allows attackers to execute arbitrary files as PHP scripts. The flaw stems from a mismatch in byte length when converting Unicode characters to lowercase, causing the server to miscalculate the boundary between the script path and path info. By injecting specific characters like 'Ⱥ', attackers can offset the internal pointer and trick the server into executing malicious uploads (e.g., images or text files) as code.

TL;DR

FrankenPHP < 1.11.2 mishandles Unicode case conversion in URLs. Because some characters change byte length when lowercased (e.g., 'Ⱥ' -> 'ⱥ'), the server miscalculates where the file path ends. Attackers can use this to execute arbitrary files (RCE). Update to 1.11.2 immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-180
  • Attack Vector: Network
  • CVSS Score: 8.9 (High)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: PoC Available
  • Bug Class: Path Confusion / Byte Index Misalignment

Affected Systems

  • FrankenPHP < 1.11.2
  • FrankenPHP: < 1.11.2 (Fixed in: 1.11.2)

Code Analysis

Commit: 04fdc0c

fix: proper case-insensitive path splitting

@@ -10,7 +10,7 @@ func splitPos(path string) int {
-   lowerPath := strings.ToLower(path)
-   if idx := strings.Index(lowerPath, ".php"); idx != -1 {
+   // Optimized manual loop and unicode search fallback
    ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade FrankenPHP to version 1.11.2 or later.
  • Implement WAF rules to block expanding Unicode characters in URI paths.
  • Strictly validate file extensions on the server-side before execution.

Remediation Steps:

  1. Check current version: frankenphp version
  2. If < 1.11.2, download the latest binary from GitHub releases.
  3. Restart the FrankenPHP service.

References

Read the full report for CVE-2026-24895 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)