PHP 7.3.3 contains 10 known security vulnerabilities that could put your website at serious risk. Released in March 2019, this version is still used by 251 websites worldwide, many unaware of the critical flaws lurking beneath the surface. One critical vulnerability in the EXIF component can allow attackers to read uninitialized memory, potentially exposing sensitive data or crashing your server.
If your website runs PHP 7.3.3, immediate action is required. This guide walks you through identifying if you're vulnerable, understanding the threats, and securing your server before attackers strike.
PHP 7.3.3 is a server-side programming language that powers website functionality like user authentication, database queries, and file processing. Think of it as the engine behind your website—it processes requests from visitors and delivers dynamic content. PHP 7.3.3 was an incremental update released in March 2019, meant to fix bugs and security issues from earlier versions.
However, PHP 7.3.3 itself contains serious security flaws that were discovered after its release. These vulnerabilities exist in core components like EXIF image processing, file operations, and archive handling. Attackers can exploit these weaknesses to read protected data, crash your site, or gain unauthorized access to your server.
10 CVEs found. The most critical are explained below.
PHP has a bug when processing image file metadata (EXIF data). This bug allows attackers to read uninitialized memory from your server, which might contain sensitive information. This is the most critical vulnerability in this list.
Impact: An attacker could extract sensitive server data by uploading specially crafted image files to your website. This could expose passwords, API keys, or private user information.
↗ View on NVDPHP's archive handling code (for .phar files) has a memory overflow bug triggered by certain file names. An attacker could exploit this by creating malicious archive files with extremely long link names.
Impact: A hacker could crash your website or potentially execute malicious code on your server by uploading or processing specially crafted archive files.
↗ View on NVDIf your server runs PHP using FPM (a common setup), child processes running as low-privilege users could potentially access memory and permissions they shouldn't have. This only affects setups where the main FPM process runs as root.
Impact: A low-privilege process could gain unauthorized access to restricted server memory and resources, potentially leading to data theft or system compromise.
↗ View on NVDPHP's file rename function has a timing flaw when moving files between different disks. During the rename process, the file is briefly accessible with incorrect permissions, creating a security window.
Impact: An unauthorized user could access or modify files on your server during the brief moment when permissions are wrong, potentially stealing or altering website data.
↗ View on NVDSimilar to CVE-2019-9641, this is another photo metadata (EXIF) bug where PHP incorrectly reads uninitialized memory. It specifically affects camera maker notes within image files.
Impact: An attacker could extract sensitive server memory by uploading image files with specially crafted metadata, potentially exposing confidential data.
↗ View on NVDAnother EXIF metadata bug in PHP where variables aren't properly initialized before use. Attackers exploit this through image files with malicious metadata sections.
Impact: Hackers could read unauthorized server memory by uploading images with crafted metadata, potentially revealing passwords, tokens, or personal user information.
↗ View on NVDShowing first 10 of 4. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2019-9640 | HIGH | 7.5 | 2019-03-09 | An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn. |
| CVE-2024-7553 | HIGH | 7.3 | 2024-08-07 | Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the a… |
| CVE-2021-21706 | MEDIUM | 5.3 | 2021-10-04 | In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside t… |
| CVE-2021-21707 | MEDIUM | 5.3 | 2021-11-29 | In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. I… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
PHP 7.3.3 poses a critical security risk with one dangerous vulnerability and seven high-severity flaws that attackers actively exploit. Delaying your upgrade increases the likelihood of data breaches, malware injection, and server compromise. The longer you wait, the more exposed your website becomes to automated attacks scanning for these known vulnerabilities.
Don't leave your website vulnerable—use SiteRecipe.com's free security scanner to identify all outdated software on your server today. Our platform provides step-by-step upgrade guides, compatibility checks, and continuous monitoring to keep your site secure. Take control of your website security right now and eliminate the threats that put your business at risk.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.