CVE-2026-24895 in franken
Summary
by MITRE • 02/12/2026
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability described in CVE-2026-24895 affects FrankenPHP, a modern application server designed for PHP applications that serves as an alternative to traditional web servers. This issue stems from a fundamental flaw in the server's handling of Unicode characters within the Common Gateway Interface (CGI) path splitting mechanism. The vulnerability specifically targets the logic responsible for parsing request paths to determine the correct PHP file execution context, which is critical for proper application server operation and security.
The technical flaw manifests in the improper handling of UTF-8 Unicode characters during case conversion operations within Go's string processing functions. When FrankenPHP processes incoming requests, it attempts to locate the .php file extension within the request path by first converting the entire path to lowercase for comparison purposes. However, the implementation fails to account for the fact that certain Unicode characters undergo byte length expansion when converted to lowercase. For instance, the character Ⱥ when lowercased becomes a multi-byte UTF-8 sequence, causing a discrepancy between the computed index position in the lowercased string and the actual position in the original string. This misalignment occurs because Go's strings.ToLower() function can produce output with different byte lengths than the input, a behavior that directly violates the assumptions underlying the path splitting algorithm.
The operational impact of this vulnerability extends beyond simple path resolution errors and represents a significant security concern for applications relying on FrankenPHP as their web server. When the index calculation fails due to Unicode character expansion, the server incorrectly determines the SCRIPT_NAME and SCRIPT_FILENAME environment variables, which are essential for PHP application execution. This misconfiguration can lead to the execution of unintended files, potentially allowing attackers to bypass normal access controls and execute arbitrary PHP code. The vulnerability creates a path traversal-like condition where an attacker could manipulate request paths containing specific Unicode characters to cause the server to execute files outside the intended directory structure. This type of flaw aligns with CWE-22 Path Traversal and CWE-77 Path Traversal, as it enables unauthorized file access through improper path handling.
The security implications of this vulnerability are particularly concerning in environments where FrankenPHP serves applications with sensitive data or where proper access controls are critical. Attackers could exploit this condition by crafting malicious URIs containing specific Unicode characters that trigger the index misalignment, potentially leading to remote code execution or data exposure. The vulnerability demonstrates a classic example of how seemingly benign string processing operations can introduce security flaws when proper consideration is not given to international character sets and their handling in programming languages. Organizations using FrankenPHP versions prior to 1.11.2 should prioritize immediate patching to address this issue, as it represents a direct threat to application security and could be leveraged for more sophisticated attacks. This vulnerability also highlights the importance of proper input validation and handling of international character sets in web server implementations, particularly in languages like Go where Unicode handling can introduce subtle but significant behavioral differences that affect security-critical code paths. The fix implemented in version 1.11.2 addresses the core issue by ensuring that index calculations properly account for byte length variations during Unicode case conversion operations, thereby maintaining the integrity of path resolution and preventing unauthorized file execution.