⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.
CVE-2021-3007 — Deserialization of Untrusted Data in Laminas-http
Severity
9.8CRITICALNVD
EPSS
90.3%
top 0.40%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedJan 4
Latest updateNov 23
Description
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommen…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages7 packages
Patches
🔴Vulnerability Details
7💥Exploits & PoCs
1Nuclei▶
Laminas Project laminas-http - Remote Code Execution