GHSA-qrch-52m5-vv85

Source

https://github.com/advisories/GHSA-qrch-52m5-vv85

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qrch-52m5-vv85/GHSA-qrch-52m5-vv85.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qrch-52m5-vv85

Aliases

CVE-2026-42552

Published

2026-05-06T21:39:07Z

Modified

2026-05-14T20:52:30.221554Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Flight vulnerable to sensitive information disclosure via default error handler

Details

Summary

The default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal).

Affected code

flight/Engine.php (≈ lines 678-704):

public function _error(Throwable $e): void
{
    ...
    $msg = sprintf(<<<'HTML'
        <h1>500 Internal Server Error</h1>
            <h3>%s (%s)</h3>
            <pre>%s</pre>
        HTML,
        $e->getMessage(),
        $e->getCode(),
        $e->getTraceAsString()
    );
    $this->response()->cache(0)->clearBody()->status(500)->write($msg)->send();
}

No flight.debug check, no environment gating.

Proof of concept

Any uncaught exception — including those auto-raised from handleError() — returns:

HTTP/1.1 500 Internal Server Error



<h1>500 Internal Server Error</h1>


  <h3>secret path /var/www/config/db.yml; token=LEAKED123 (0)</h3>
  <pre>#0 [internal function]: {closure}()
  #1 /home/user/app/vendor/flightphp/core/flight/core/Dispatcher.php(361)...
  #2 /home/user/app/vendor/flightphp/core/flight/Engine.php(...)
  ...
  </pre>

Reproduced against the live PoC app at /poc5/error.

Impact

Disclosure of absolute filesystem paths (primes weaponization of LFI / path-traversal vulnerabilities in the same application).
Disclosure of secrets (DB credentials, API tokens) when exceptions are constructed with interpolated configuration values.
Enumeration of installed vendor packages and internal application structure.

Patch (fixed in `3.18.1`, commit `b8dd23a`)

A new flight.debug setting (default false) gates the verbose output. In production the handler now emits only <h1>500 Internal Server Error</h1>. Developers can set flight.debug = true in local environments to restore the full trace output.

Credit

Discovered by @Rootingg.

Database specific

{
    "github_reviewed_at": "2026-05-06T21:39:07Z",
    "nvd_published_at": "2026-05-13T20:16:22Z",
    "cwe_ids": [
        "CWE-209"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Packagist / flightphp/core

Package

Name: flightphp/core
Purl: pkg:composer/flightphp/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.18.1

Affected versions

v1.*

v1.0

v1.1

v1.1.5

v1.1.10

v1.2

v1.2.13

v1.2.14

v1.2.15

v1.2.17

v1.2.18

v1.2.19

v1.2.20

v1.2.21

v1.2.22

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.7

v1.3.8

v1.3.9

v2.*

v2.0.0

v2.0.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.1.1

v3.2.0

v3.3.0

v3.4.0

v3.4.1

v3.4.2

v3.5.0

v3.5.2

v3.5.3

v3.6.0

v3.6.1

v3.6.2

v3.7.0

v3.7.1

v3.7.2

v3.8.0

v3.8.1

v3.9.0

v3.10.0

v3.10.1

v3.11.0

v3.11.1

v3.12.0

v3.13.0

v3.13.1

v3.14.0

v3.15.0

v3.15.1

v3.15.2

v3.15.3

v3.16.0

v3.16.1

v3.17.0

v3.17.1

v3.17.2

v3.17.3

v3.17.4

v3.18.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qrch-52m5-vv85/GHSA-qrch-52m5-vv85.json"