cbcvebase.
CVE-2021-37704
published 2021-08-12

CVE-2021-37704: PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the…

PriorityP335medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EXPLOIT
EPSS
6.13%
92.6th percentile
PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.

Affected

9 ranges
VendorProductVersion rangeFixed in
phpfastcachephpfastcache< 6.1.56.1.5
phpfastcachephpfastcache>= 0 < 6.1.56.1.5
phpfastcachephpfastcache>= 7.0.0 < 7.1.27.1.2
phpfastcachephpfastcache>= 7.0.0 < 7.1.27.1.2
phpfastcachephpfastcache>= 8.0.0 < 8.0.78.0.7
phpfastcachephpfastcache>= 8.0.0 < 8.0.78.0.7
phpsocialnetworkphpfastcache< 6.1.56.1.5
phpsocialnetworkphpfastcache
phpsocialnetworkphpfastcache

Detection & IOCsextracted from sources · hover to see the quote

path/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php
path/vendor/phpfastcache/phpfastcache/examples/phpinfo.php
  • HTTP GET request to either phpinfo.php path returns HTTP 200 with both 'PHP Extension' AND 'PHP Version' in the response body, indicating exposed phpinfo() output.
  • Extract the exposed PHP version from the response body using the regex pattern '>PHP Version ([0-9.]+)' to confirm exploitation and enumerate the target environment.
  • Stop scanning at first match — probe /docs/examples/phpinfo.php first, then fall back to /examples/phpinfo.php; a hit on either confirms the vendor directory is publicly accessible.
  • ·This is a rare/low-impact scenario in modern deployments where the vendor directory is typically outside the web root or protected by server rules (.htaccess, etc.).
  • ·The Nuclei template requires exactly 2 HTTP requests maximum (max-request: 2), one per candidate path, stopping at first positive match.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.