CVE-2026-42552
Flight vulnerable to sensitive information disclosure via default error handler
描述
### Summary The default error handler `Engine::_error()` writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal). ### Affected code `flight/Engine.php` (≈ lines 678-704): ```php public function _error(Throwable $e): void { ... $msg = sprintf(<<<'HTML' <h1>500 Internal Server Error</h1> <h3>%s (%s)</h3> <pre>%s</pre> HTML, $e->getMessage(), $e->getCode(), $e->getTraceAsString() ); $this->response()->cache(0)->clearBody()->status(500)->write($msg)->send(); } ``` No `flight.debug` check, no environment gating. ### Proof of concept Any uncaught exception — including those auto-raised from `handleError()` — returns: ``` HTTP/1.1 500 Internal Server Error <h1>500 Internal Server Error</h1> <h3>secret path /var/www/config/db.yml; token=LEAKED123 (0)</h3> <pre>#0 [internal function]: {closure}() #1 /home/user/app/vendor/flightphp/core/flight/core/Dispatcher.php(361)... #2 /home/user/app/vendor/flightphp/core/flight/Engine.php(...) ... </pre> ``` Reproduced against the live PoC app at `/poc5/error`. ### Impact - Disclosure of absolute filesystem paths (primes weaponization of LFI / path-traversal vulnerabilities in the same application). - Disclosure of secrets (DB credentials, API tokens) when exceptions are constructed with interpolated configuration values. - Enumeration of installed vendor packages and internal application structure. ### Patch (fixed in `3.18.1`, commit `b8dd23a`) A new `flight.debug` setting (default `false`) gates the verbose output. In production the handler now emits only `<h1>500 Internal Server Error</h1>`. Developers can set `flight.debug = true` in local environments to restore the full trace output. ### Credit Discovered by **@Rootingg**.
如何修補 CVE-2026-42552
要修補 CVE-2026-42552,請將受影響套件升級到下列已修補版本。
- —升級至 3.18.1 或更新版本
CVE-2026-42552 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。