HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3.
Applications that call streamsocketserver or streamsocketclient functions with a URL starting with tls:// are affected.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "4.171.0"
},
{
"fixed": "4.171.1"
},
{
"introduced": "4.170.0"
},
{
"fixed": "4.170.2"
},
{
"introduced": "4.169.0"
},
{
"fixed": "4.169.2"
},
{
"introduced": "4.154.0"
},
{
"fixed": "1.168.2"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36937.json",
"cna_assigner": "facebook"
}{
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
],
"cpe": [
"cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
"cpe:2.3:a:facebook:hhvm:4.171.0:*:*:*:*:*:*:*",
"cpe:2.3:a:facebook:hhvm:4.172.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "4.153.4"
},
{
"introduced": "4.154.0"
},
{
"fixed": "4.168.2"
},
{
"introduced": "4.171.0"
},
{
"last_affected": "4.171.0"
},
{
"introduced": "4.172.0"
},
{
"last_affected": "4.172.0"
}
]
}"2026-07-10T00:31:06Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36937.json"
[
{
"id": "CVE-2022-36937-bf84c15a",
"digest": {
"line_hashes": [
"24010530632907002648307216837318941548",
"176589688183826310668867365706255585068",
"113334605668934533256516010032469343227",
"140335216194151808759673220052749435881"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/facebook/hhvm/commit/268f75e53fe151332273129ea5a42221481a1f39",
"deprecated": false,
"target": {
"file": "hphp/runtime/version.h"
}
},
{
"id": "CVE-2022-36937-c0ae7bbb",
"digest": {
"line_hashes": [
"121091964146730314286614053496083522780",
"190964122948176247185907594347662385709",
"329308149585322692300207900531998906186",
"140335216194151808759673220052749435881"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/facebook/hhvm/commit/96eb858013228b977f7ecb0d9516a138f07d0caa",
"deprecated": false,
"target": {
"file": "hphp/runtime/version.h"
}
},
{
"id": "CVE-2022-36937-d51c1ad0",
"digest": {
"line_hashes": [
"36602799550260798061553787771962267258",
"234250307083079915383381505626977248964",
"141775178956513107259480719217835169561",
"336514913396938612912909103171505825356",
"330417911054254029542996090058208042825",
"260952900214024683889878870712603392034",
"324722174129089817777404461533680265865",
"203923956049788163969299205761962759813"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/facebook/hhvm/commit/083f5ffdee661f61512909d16f9a5b98cff3cf0b",
"deprecated": false,
"target": {
"file": "hphp/runtime/base/ssl-socket.cpp"
}
}
]