CVE-2024-2757: 
PHP vulnerability analysis and mitigation

CVE-2024-2757 affects PHP versions 8.3.* before 8.3.5, specifically impacting the mbencodemimeheader() function. The vulnerability was discovered and disclosed in April 2024, affecting PHP applications that process email headers using this function (PHP Advisory, OSS Security).

The vulnerability occurs when the mbencodemimeheader() function processes inputs containing long strings of non-space characters followed by a space. When encountering such inputs, the function enters an infinite loop and fails to return. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

The vulnerability can lead to Denial of Service (DoS) attacks if a malicious user sends specifically crafted data to an application that uses the mbencodemimeheader() function. This is particularly concerning as the function is integral to numerous email processing routines, including those handling potentially untrusted user inputs. For example, CakePHP 5 relies on this function to encode email subjects (PHP Advisory).

The vulnerability has been fixed in PHP version 8.3.6. All users of PHP 8.3.* versions before 8.3.5 are encouraged to upgrade to this patched version (Security Online).