CVE-2021-29476
CRITICAL9.8EPSS 2.2%Insecure Deserialization of untrusted data in rmccue/requests
Published: 4/29/2021Modified: 5/27/2026
Description
Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0.
Affected packages (2)
- Debian/wordpressfrom 0, < 5.5.3+dfsg1-1
- Packagist/rmccue/requests>= 1.6.0, < 1.8.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (14)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-29476
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-29476
- WEBhttps://2018.zeronights.ru/wp-content/uploads/materials/9%20ZN2018%20WV%20-%20PHP%20unserialize.pdf
- WEBhttps://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security
- WEBhttps://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
- WEBhttps://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress
- WEBhttps://github.com/ambionics/phpggc/issues/52
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/rmccue/requests/CVE-2021-29476.yaml
- WEBhttps://github.com/rmccue/Requests/pull/421
- WEBhttps://github.com/WordPress/Requests/security/advisories/GHSA-52qp-jpq7-6c54
- WEBhttps://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3
- WEBhttps://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf
- WEBhttps://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066#3c0f
- WEBhttps://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release