CVE-2024-3096
PHP function password_verify can erroneously return true when argument contains NULIn PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
We have discovered 350,085 live websites that are affected by CVE-2024-3096.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 350,085 live websites (4.01% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 51 versions ( 9.32% of all versions) |
Common Weakness Enumeration
CWE-20 Improper Input ValidationDetails
- Published - Apr 29, 2024
- Updated - Feb 13, 2025
Credits
- Eric Stern (reporter)
CWE
CVE References
CWE References
CVE-2024-3096 usage by Country
 United States | 86,897 websites |
 France | 76,236 websites |
 Cyprus | 53,333 websites |
 Germany | 36,597 websites |
 Russia | 13,042 websites |
 Netherlands | 9,560 websites |
 Iran | 8,465 websites |
 Brazil | 6,709 websites |
 Australia | 6,449 websites |
 Poland | 3,994 websites |
CVE-2024-3096 usage by TLD
| .com | 139,599 websites |
| .fr | 29,789 websites |
| .org | 14,735 websites |
| .ru | 12,613 websites |
| .com.br | 12,558 websites |
| .nl | 10,938 websites |
| .net | 9,662 websites |
| .cn | 6,653 websites |
| .de | 5,924 websites |
| .co.uk | 5,865 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-3096
Top websites that are affected by CVE-2024-3096. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *** | |
| ******.com | United States | *,*** | |
| *****.cz |  Czech Republic | *,*** | |
| ********.********.it |  Italy | *,*** | |
| ***.com | United States | *,*** | |
| ****.com |  China | *,*** | |
| *********.com | United States | *,*** | |
| *****.com | United States | *,*** | |
| **********.edu | United States | *,*** | |
| ***************.org | United States | *,*** |
FAQ
CVE-2024-3096 is Improper Input Validation in PHP
A total of 350,085 websites have been identified as vulnerable to CVE-2024-3096, discovered through global website indexing conducted by WebTechSurvey.
PHP is susceptible to CVE-2024-3096 vulnerability.
PHP versions before 8.3.5 are vulnerable to CVE-2024-3096.
Version 8.3.5 of PHP addresses the CVE-2024-3096 security vulnerability.