GHSA-jq87-2wxp-8349: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-jq87-2wxp-8349) affects Zend Framework 2's Zend\Mvc\Router\Http\Query component, which was discovered and disclosed on March 13, 2013. This high-severity security issue impacts versions 2.0.0 to 2.0.8 and 2.1.0 to 2.1.4 of the zendframework/zendframework package. The vulnerability allows for route parameter injection via query strings, potentially leading to unauthorized access to different controllers (Zend Advisory).

The vulnerability exists in the way Zend\Mvc\Router\Http\Query handles query parameters. The component captures query parameters into RouteMatch and merges them with parent routes, which can lead to overriding previously captured routing parameters and bypassing constraints defined in parent routes. For example, a request URI like '/user/foo/?controller=SecretController&key=invalid_value' could override intended controller execution and bypass key parameter constraints (Zend Advisory).

The vulnerability allows attackers to execute different controllers than intended and bypass route constraints through query parameter manipulation. This can lead to unauthorized access to controllers and potential security bypass issues. The CVSS v3.1 score is 7.5 (High), with metrics indicating network vector attack, low complexity, no privileges required, and high impact on integrity (GitHub Advisory).

The issue was fixed in versions 2.0.8 and 2.1.4. The Query route was deprecated and modified to no longer pass query parameters to the RouteMatch. Users are recommended to upgrade to these versions immediately. As an alternative, developers can use the HTTP router's query option for URL assembly, which provides a secure way to handle query parameters (Zend Advisory).