CVE-2024-5458
Filter bypass in filter_var (FILTER_VALIDATE_URL)In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
We have discovered 415,221 live websites that are affected by CVE-2024-5458.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 415,221 live websites (4.76% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 57 versions ( 10.42% of all versions) |
Details
- Published - Jun 9, 2024
- Updated - Mar 14, 2025
Credits
- c01l (reporter)
CVE References
CVE-2024-5458 usage by Country
 United States | 99,898 websites |
 France | 77,653 websites |
 Cyprus | 64,986 websites |
 Germany | 43,029 websites |
 Netherlands | 27,398 websites |
 Russia | 14,184 websites |
 Iran | 8,643 websites |
 Brazil | 7,553 websites |
 Australia | 6,975 websites |
 GB | 4,847 websites |
CVE-2024-5458 usage by TLD
| .com | 162,408 websites |
| .fr | 30,300 websites |
| .nl | 25,434 websites |
| .org | 16,783 websites |
| .com.br | 14,631 websites |
| .ru | 14,569 websites |
| .net | 11,163 websites |
| .de | 7,121 websites |
| .be | 6,887 websites |
| .cn | 6,844 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-5458
Top websites that are affected by CVE-2024-5458. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *** | |
| ******.com | United States | *,*** | |
| *****.cz |  Czech Republic | *,*** | |
| ********.********.it |  Italy | *,*** | |
| ***.com | United States | *,*** | |
| *******.com | Germany | *,*** | |
| ****.com |  China | *,*** | |
| *********.com | United States | *,*** | |
| *****.com | United States | *,*** | |
| **********.edu | United States | *,*** |
FAQ
A total of 415,221 websites have been identified as vulnerable to CVE-2024-5458, discovered through global website indexing conducted by WebTechSurvey.
PHP is susceptible to CVE-2024-5458 vulnerability.
PHP versions before 8.3.8 are vulnerable to CVE-2024-5458.
Version 8.3.8 of PHP addresses the CVE-2024-5458 security vulnerability.
References
- https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w
- http://www.openwall.com/lists/oss-security/2024/06/07/1
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
- https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html
- https://security.netapp.com/advisory/ntap-20240726-0001/