CVE-2014-125127 (GCVE-0-2014-125127)
Vulnerability from cvelistv5
Published
2025-09-03 08:35
Modified
2025-09-03 13:20
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.
References
Impacted products
Vendor Product Version
flightphp core Version: v1.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2014-125127",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-03T13:20:02.762521Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-03T13:20:06.873Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125127"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "packageName": "mikecao/flight",
          "product": "core",
          "programFiles": [
            "flight/net/Request.php"
          ],
          "repo": "https://github.com/flightphp/core",
          "vendor": "flightphp",
          "versions": [
            {
              "lessThanOrEqual": "v1.1.10",
              "status": "affected",
              "version": "v1.0",
              "versionType": "php"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T08:35:05.988Z",
        "orgId": "596c5446-0ce5-4ba2-aa66-48b3b757a647",
        "shortName": "Checkmarx"
      },
      "references": [
        {
          "url": "https://github.com/mikecao/flight/pull/125"
        },
        {
          "url": "https://github.com/mikecao/flight/commit/da40e03eb4a39745107912dffe926a8fce0d38dc"
        },
        {
          "url": "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125127"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Denial of Service (DoS) vulnerability in mikecao/flight",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "596c5446-0ce5-4ba2-aa66-48b3b757a647",
    "assignerShortName": "Checkmarx",
    "cveId": "CVE-2014-125127",
    "datePublished": "2025-09-03T08:35:05.988Z",
    "dateReserved": "2025-08-27T09:12:29.906Z",
    "dateUpdated": "2025-09-03T13:20:06.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-125127\",\"sourceIdentifier\":\"596c5446-0ce5-4ba2-aa66-48b3b757a647\",\"published\":\"2025-09-03T09:15:32.187\",\"lastModified\":\"2025-09-04T15:36:56.447\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"596c5446-0ce5-4ba2-aa66-48b3b757a647\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"596c5446-0ce5-4ba2-aa66-48b3b757a647\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125127\",\"source\":\"596c5446-0ce5-4ba2-aa66-48b3b757a647\"},{\"url\":\"https://github.com/mikecao/flight/commit/da40e03eb4a39745107912dffe926a8fce0d38dc\",\"source\":\"596c5446-0ce5-4ba2-aa66-48b3b757a647\"},{\"url\":\"https://github.com/mikecao/flight/pull/125\",\"source\":\"596c5446-0ce5-4ba2-aa66-48b3b757a647\"},{\"url\":\"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125127\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2014-125127\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-03T13:20:02.762521Z\"}}}], \"references\": [{\"url\": \"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125127\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-03T13:19:54.570Z\"}}], \"cna\": {\"title\": \"Denial of Service (DoS) vulnerability in mikecao/flight\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/flightphp/core\", \"vendor\": \"flightphp\", \"product\": \"core\", \"versions\": [{\"status\": \"affected\", \"version\": \"v1.0\", \"versionType\": \"php\", \"lessThanOrEqual\": \"v1.1.10\"}], \"packageName\": \"mikecao/flight\", \"programFiles\": [\"flight/net/Request.php\"], \"collectionURL\": \"https://packagist.org\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/mikecao/flight/pull/125\"}, {\"url\": \"https://github.com/mikecao/flight/commit/da40e03eb4a39745107912dffe926a8fce0d38dc\"}, {\"url\": \"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125127\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThe mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"596c5446-0ce5-4ba2-aa66-48b3b757a647\", \"shortName\": \"Checkmarx\", \"dateUpdated\": \"2025-09-03T08:35:05.988Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2014-125127\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-03T13:20:06.873Z\", \"dateReserved\": \"2025-08-27T09:12:29.906Z\", \"assignerOrgId\": \"596c5446-0ce5-4ba2-aa66-48b3b757a647\", \"datePublished\": \"2025-09-03T08:35:05.988Z\", \"assignerShortName\": \"Checkmarx\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.