Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...

PHP 5.6 GMP unserialize() Use-After-Free

Use After Free Vulnerability in unserialize with GMP Taoguang Chen - Write Date: 2015.8.17 - Release Date: 2015.9.4 A use-after-free vulnerability was discovered in unserialize with GMP object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code...