VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 11, 2020· Updated Aug 4, 2024

CVE-2020-5203

CVE-2020-5203

Description

In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code execution if developers choose to pass user controlled input (e.g., $_REQUEST, $_GET, or $_POST) to the framework's Clear method.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Fat-Free Framework 3.7.1's `clear()` method allows arbitrary code execution when user input is passed, due to missing input sanitization.

Vulnerability

Overview

CVE-2020-5203 affects Fat-Free Framework (F3) version 3.7.1, a popular PHP micro-framework. The vulnerability resides in the clear() method, which is intended to reset global variables. If a developer naively passes user-controlled input (e.g., $_REQUEST, $_GET, $_POST) to this method, the lack of input sanitization in the underlying eval() call can be exploited to achieve arbitrary code execution [1][2].

Exploitation

Conditions

Exploitation requires that the clear() method is called with unsanitized user input. No authentication is necessary if the vulnerable code path is exposed via HTTP request parameters. The attacker crafts a malicious string that, when evaluated inside eval('unset('.$this->compile('@this->hive.'.$key).');'), triggers code injection. The framework's compile() function processes the key, but the original code did not filter out PHP-close-tag-like patterns or function calls [3].

Impact

A successful attack allows an unauthenticated remote attacker to execute arbitrary PHP code on the server. This could lead to full site compromise, data theft, or further server-side attacks. The framework is widely used for rapid web application development, increasing the potential blast radius [1][2].

Mitigation

The vulnerability was patched in a subsequent commit (dae95a0), which adds a regex-based sanitization step: $key=preg_replace('/(\)\W*\w+.*$)/','',$key); to remove any trailing function calls or PHP structures from the key before evaluation [3]. Users should upgrade to Fat-Free Framework version 3.7.2 or later, which includes this fix [4]. Workarounds involve never passing unfiltered user input to the clear() method.

References
  1. GitHub - bcosca/fatfree: A powerful yet easy-to-use PHP micro-framework designed to help you build dynamic and robust Web applications - fast!
  2. NVD - CVE-2020-5203
  3. ensure misuse of clear() wont open a vulnerability · f3-factory/fatfree-core@dae95a0
  4. Releases · bcosca/fatfree

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bcosca/fatfreePackagist
< 3.7.23.7.2

Affected products

3

Patches

2
dae95a0baf39

ensure misuse of clear() wont open a vulnerability

https://github.com/f3-factory/fatfree-coreikkezJan 4, 2020via osv
commit
1 file changed · +4 4
  • base.php+4 4 modified
    @@ -503,6 +503,8 @@ function clear($key) {
 			// Reset global to default value
 			$this->hive[$parts[0]]=$this->init[$parts[0]];
 		else {
+			// Ensure we have no code injection
+			$key=preg_replace('/(\)\W*\w+.*$)/','',$key);
 			eval('unset('.$this->compile('@this->hive.'.$key).');');
 			if ($parts[0]=='SESSION') {
 				session_commit();
@@ -2963,13 +2965,11 @@ function c($val) {
 	*	@param $str string
 	**/
 	function token($str) {
-		$fw=$this->fw;
-		$str=trim(preg_replace('/\{\{(.+?)\}\}/s',trim('\1'),
-			$fw->compile($str)));
+		$str=trim(preg_replace('/\{\{(.+?)\}\}/s','\1',$this->fw->compile($str)));
 		if (preg_match('/^(.+)(?<!\|)\|((?:\h*\w+(?:\h*[,;]?))+)$/s',
 			$str,$parts)) {
 			$str=trim($parts[1]);
-			foreach ($fw->split(trim($parts[2],"\xC2\xA0")) as $func)
+			foreach ($this->fw->split(trim($parts[2],"\xC2\xA0")) as $func)
 				$str=((empty($this->filter[$cmd=$func]) &&
 					function_exists($cmd)) ||
 					is_string($cmd=$this->filter($func)))?
dae95a0baf39

ensure misuse of clear() wont open a vulnerability

https://github.com/bcosca/fatfree-coreikkezJan 4, 2020via ghsa
commit
1 file changed · +4 4
  • base.php+4 4 modified
    @@ -503,6 +503,8 @@ function clear($key) {
 			// Reset global to default value
 			$this->hive[$parts[0]]=$this->init[$parts[0]];
 		else {
+			// Ensure we have no code injection
+			$key=preg_replace('/(\)\W*\w+.*$)/','',$key);
 			eval('unset('.$this->compile('@this->hive.'.$key).');');
 			if ($parts[0]=='SESSION') {
 				session_commit();
@@ -2963,13 +2965,11 @@ function c($val) {
 	*	@param $str string
 	**/
 	function token($str) {
-		$fw=$this->fw;
-		$str=trim(preg_replace('/\{\{(.+?)\}\}/s',trim('\1'),
-			$fw->compile($str)));
+		$str=trim(preg_replace('/\{\{(.+?)\}\}/s','\1',$this->fw->compile($str)));
 		if (preg_match('/^(.+)(?<!\|)\|((?:\h*\w+(?:\h*[,;]?))+)$/s',
 			$str,$parts)) {
 			$str=trim($parts[1]);
-			foreach ($fw->split(trim($parts[2],"\xC2\xA0")) as $func)
+			foreach ($this->fw->split(trim($parts[2],"\xC2\xA0")) as $func)
 				$str=((empty($this->filter[$cmd=$func]) &&
 					function_exists($cmd)) ||
 					is_string($cmd=$this->filter($func)))?

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.