GHSA-xg43-5579-qw6v
PHP Análisis y mitigación de vulnerabilidades

Impact

adawolfa/isdoc reads ISDOC invoices from ISDOCX (ZIP) archives and from PDF files with embedded ISDOC documents and supplements. Affected versions inflate ZIP entries and read embedded files without validating their uncompressed size, so a small crafted file can amplify into gigabytes:

  • ISDOCX decompression bombgetFromName() inflates the ISDOC document and binary supplements with no size cap.
  • saveTo() disk-fill — the supplement copy loop writes inflated bytes to disk with no running byte budget, so a bomb can exhaust disk even if the central-directory size is under-reported.
  • PDF embedded files — an embedded file whose declared Length is enormous is read and digested with no upper bound. Exploitation requires the application to parse an attacker-supplied .isdocx or .pdf (the typical use is generating files or parsing files from trusted vendors, so a user must be induced to process a malicious file). When that happens the process can be driven to exhaust memory or disk, causing denial of service. There is no confidentiality or integrity impact — availability only.

Patches

Fixed in 1.4.3, 1.5.1, 1.6.1 and 2.0.0. The readers now:

  • read the uncompressed size from the ZIP central directory (statName()) and reject entries over a cap before inflating — 256 KB (DocumentSizeLimit) for the ISDOC document, 32 MB (SizeLimit) for supplements;
  • enforce a running byte budget in saveTo() and unlink the partial file on overflow;
  • reject PDF-embedded files whose declared Length exceeds 256 MB before reading or digesting them. New exceptions ReaderException::zipEntryTooLarge(), SupplementException::supplementTooLarge() and ReaderException::pdfSupplementTooLarge() surface the rejection.

Unsupported versions

Versions before 1.4.0 (the 1.0–1.3 lines) are also affected and will not receive a fix, because they target end-of-life PHP. Users on those lines should upgrade to a maintained release — 1.4.3, 1.5.1, 1.6.1, or 2.0.0.

Workarounds

No code-level workaround exists in affected versions; upgrading is the fix. As mitigation, restrict parsing to trusted input, or enforce an external size / decompression limit (validate ZIP entry sizes, cap process memory) before handing files to the library.

Resources

  • Decompression-bomb fix: commit 935fb2a (backported, released as 1.4.3 / 1.5.1 / 1.6.1) and 02a1012 (master, released as 2.0.0).
  • CWE-409 (Improper Handling of Highly Compressed Data), CWE-400 (Uncontrolled Resource Consumption).

FuenteNVD

Relacionado PHP Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
NoJul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades