CVE-2016-6875

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-6875
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6875.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-6875
Downstream
Published
2017-02-17T17:59:01Z
Modified
2025-10-21T03:57:54.020356Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.

References

Affected packages

Git / github.com/facebook/hhvm

Affected ranges

Type
GIT
Repo
https://github.com/facebook/hhvm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1888810e77b446a79a7674784d5f139fcfa605e2

Affected versions

HPHP-2.*

HPHP-2.1.0

gcc-4.*

gcc-4.6

Other

pre-hhvm
src-hphp

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "source": "https://github.com/facebook/hhvm/commit/1888810e77b446a79a7674784d5f139fcfa605e2",
        "digest": {
            "line_hashes": [
                "76297515596572548142676573148034841838",
                "175746803774406424921840425508106861864",
                "167897691110371861136565504032950625350",
                "93035593523402503352778961287468455116",
                "46466422116042227653228369214739744365",
                "117257128500912968444444644164695571231",
                "189003099043617438951512165831165224573",
                "107329065183615963795663747441467153380",
                "291619946007508725164843786079283068574",
                "301507225113634883713923931054769035002",
                "333532474214320857176391028886472576015",
                "274910130862199735208783863332695770281",
                "86122892845394419550349236841050960377",
                "26623336131808316217366416948688841525",
                "80265113851266134412492155967057858047",
                "72246276943876773757498017735374572579",
                "241403812568583213671270173532321798460",
                "259613982861258657114095164670104131323",
                "303985175454384902793161908580977793515",
                "216516024934393105568142835782703347590",
                "314738675635936429941176674002252564567",
                "275515862393996140971613522286944904793"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "hphp/runtime/ext/wddx/ext_wddx.cpp"
        },
        "id": "CVE-2016-6875-18e607dc",
        "signature_version": "v1",
        "signature_type": "Line"
    },
    {
        "deprecated": false,
        "source": "https://github.com/facebook/hhvm/commit/1888810e77b446a79a7674784d5f139fcfa605e2",
        "digest": {
            "line_hashes": [
                "78751173785827356294180259296160039829",
                "210538964558441800395649364488499641069",
                "161735090181712192574971403022679950508",
                "206021377363724860345475610751683518653",
                "152138425784359092976991151174525591429",
                "52031854424960527970229119656044167980",
                "5486123268443892645300441762055955837"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "hphp/runtime/ext/wddx/ext_wddx.h"
        },
        "id": "CVE-2016-6875-44448c99",
        "signature_version": "v1",
        "signature_type": "Line"
    },
    {
        "deprecated": false,
        "source": "https://github.com/facebook/hhvm/commit/1888810e77b446a79a7674784d5f139fcfa605e2",
        "digest": {
            "function_hash": "320552028476698702792096574859269024060",
            "length": 2040.0
        },
        "target": {
            "function": "WddxPacket::recursiveAddVar",
            "file": "hphp/runtime/ext/wddx/ext_wddx.cpp"
        },
        "id": "CVE-2016-6875-b5e1b509",
        "signature_version": "v1",
        "signature_type": "Function"
    }
]