High severityNVD Advisory· Published Mar 30, 2015· Updated May 6, 2026
CVE-2015-2171
CVE-2015-2171
Description
Middleware/SessionCookie.php in Slim before 2.6.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted session data.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
slim/slimPackagist | < 2.6.0 | 2.6.0 |
Affected products
1Patches
19fa651474eb4Fix #1034 (CVE-2015-2171)
1 file changed · +2 −2
Slim/Middleware/SessionCookie.php+2 −2 modified@@ -124,7 +124,7 @@ protected function loadSession() if ($value) { try { - $_SESSION = unserialize($value); + $_SESSION = json_decode($value, true); } catch (\Exception $e) { $this->app->getLog()->error('Error unserializing session cookie value! ' . $e->getMessage()); } @@ -138,7 +138,7 @@ protected function loadSession() */ protected function saveSession() { - $value = serialize($_SESSION); + $value = json_encode($_SESSION); if (strlen($value) > 4096) { $this->app->getLog()->error('WARNING! Slim\Middleware\SessionCookie data size is larger than 4KB. Content save failed.');
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.slimframework.com/2015/03/01/version-260.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-74mf-vjpg-9xh7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-2171ghsaADVISORY
- seclists.org/fulldisclosure/2015/Mar/16nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/slim/slim/CVE-2015-2171.yamlghsaWEB
- github.com/slimphp/Slim/commit/9fa651474eb4d3bb0ce40dd5a55c51bb861c2658ghsaWEB
- github.com/slimphp/Slim/issues/1034nvdWEB
- web.archive.org/web/20200229032229/http://www.securityfocus.com/bid/70087ghsaWEB
- www.securityfocus.com/bid/70087nvd
News mentions
0No linked articles in our index yet.