PHP 7.4.21 contains two medium-severity vulnerabilities that could impact your website's security. While not critical, these CVEs deserve immediate attention as they affect core functionality like database operations and URL validation. With 765 websites still running this version, the risk of exploitation remains significant.
This guide walks you through understanding these vulnerabilities, identifying if you're affected, and implementing the necessary fixes. Whether you're a developer or website owner, protecting your site from these known exploits is essential for maintaining user trust and data integrity.
We'll break down the technical details into simple terms and provide actionable steps to secure your PHP installation today.
What is Php 7.4.21?
PHP 7.4.21 is a server-side programming language version that powers millions of websites worldwide. It's the software that runs behind the scenes on your web server, handling everything from processing form submissions to communicating with databases. Think of it as the engine of your website—when the engine has vulnerabilities, the entire vehicle becomes at risk.
PHP versions receive security updates regularly, with new versions released to patch discovered vulnerabilities. Version 7.4.21 was released to address several security issues, including the two medium-severity CVEs discussed in this article. Keeping your PHP version current is like getting regular maintenance for your car—it keeps everything running smoothly and prevents serious problems.
Key Vulnerabilities in Php 7.4.21
2 CVEs found. The most critical are explained below.
MEDIUMCVE-2021-217045.0/10 · CVSS v3.1
⏱ Within 7 days
Firebird Database Driver Crash Vulnerability
If your website uses PHP 7.4.21 with a Firebird database connection, a malicious or compromised database server could send invalid data that crashes your site's database functions. This would cause your website to stop working when trying to retrieve or process data.
Impact: Your website could experience downtime and become unavailable to customers when database operations fail. An attacker controlling the database server could intentionally trigger these crashes.
MEDIUMCVE-2021-217054.3/10 · CVSS v3.1
⏱ Within 7 days
URL Validation Security Bypass
A flaw in PHP's URL checking tool allows malformed URLs with invalid passwords to be incorrectly accepted as legitimate. This means your website might process URLs that should be rejected, potentially leading to security issues.
Impact: Attackers could bypass your URL validation checks and submit malicious links that your code processes as valid, potentially leading to security breaches or phishing attacks through your site.
1Log into your web hosting control panel (cPanel, Plesk, or your hosting provider's dashboard)
2Navigate to the PHP Settings or PHP Version section to view your current PHP version
3Compare your version number with 7.4.21—if you see 7.4.20 or earlier, you're vulnerable to these CVEs
4Alternatively, create a file called phpinfo.php with the code <?php phpinfo(); ?> and upload it to your server, then open it in a browser to see your version
How to Fix These Vulnerabilities
1Backup your entire website, databases, and configuration files before making any changes to prevent data loss
2Contact your hosting provider and request an upgrade to PHP 7.4.21 or higher (preferably 7.4.x latest or PHP 8.x for better security)
3If you manage your own server, use your package manager to upgrade: run 'apt-get update && apt-get install php7.4' (on Ubuntu/Debian) or equivalent for your system
4After upgrading, test your website thoroughly across all major browsers and functionalities, including database queries and form submissions, before considering the update complete
Conclusion
The two medium-severity CVEs in PHP 7.4.21 present real security risks that shouldn't be ignored. CVE-2021-21704 could crash your database functions, while CVE-2021-21705 allows invalid URLs to bypass security checks. Taking 30 minutes to upgrade protects your site from potential exploits and ensures your users' data remains secure.
Don't let your website become part of the vulnerable 765 sites still running this outdated version. Use SiteRecipe.com's comprehensive vulnerability scanner to identify all security issues across your tech stack, monitor your PHP version in real-time, and receive instant alerts when updates are available. Secure your site today—your users depend on it.
Frequently Asked Questions
Will upgrading PHP 7.4.21 break my website?
Minor version upgrades (7.4.20 to 7.4.21) rarely cause issues since they're designed for backward compatibility. However, always backup your site first and test thoroughly. Major version changes (7.4 to 8.0) are more likely to require code adjustments, so test on a staging environment first.
What happens if I don't upgrade from PHP 7.4.21?
Your website remains vulnerable to the two known CVEs. Attackers could exploit the Firebird PDO driver vulnerability to crash database operations or use malformed URLs to bypass security filters. This could lead to data breaches, service interruptions, and loss of customer trust.
How often should I update PHP?
Update immediately when security patches are released, and plan major version upgrades every 1-2 years as older versions reach end-of-life. Most hosting providers handle automatic security patches, but you should verify your setup. SiteRecipe.com helps you stay on top of all security updates automatically.
Is PHP 7.4.21 still supported?
PHP 7.4 reached end-of-life in November 2022, meaning it no longer receives security updates. If you're still running 7.4.21, you should upgrade to PHP 8.1 or later for continued security support and bug fixes.
Can I skip versions when upgrading PHP?
You can typically skip minor versions within the same major release (e.g., 7.4.10 to 7.4.21), but upgrading between major versions should be done carefully. Test thoroughly or consult with your hosting provider's technical support before jumping versions.
Generate white-label reports for your clients
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.
DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability
Database (NVD) maintained by NIST. Detection of a technology version does not confirm active
exploitation on any specific website. For informational purposes only.
SiteRecipe is not responsible for actions taken based on this report.
Always consult a qualified security professional.