CVE-2026-57584 in Phalconinfo

Summary

by MITRE • 07/10/2026

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier (/.), and the same construct is produced by the /:params placeholder and the CLI router. Phalcon\Mvc\Router::handle() matches this pattern against the attacker-controlled request URI on every request, so a crafted path such as one containing repeated slashes followed by decoded newlines can trigger catastrophic backtracking and cause CPU exhaustion or route-matching failure. This issue is fixed in version 5.15.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability in Phalcon framework represents a critical security flaw that affects versions prior to 5.15.0, specifically within the routing mechanism of MVC applications. This issue stems from the improper handling of regular expression patterns used for route matching, creating a scenario where attacker-controlled input can trigger catastrophic backtracking behavior. The root cause lies in the default router configuration which registers built-in routes containing nested quantifiers in their compiled PCRE patterns, particularly the pattern (/.). When Phalcon\Mvc\Router::handle() processes incoming requests, it applies these vulnerable patterns against attacker-controlled URI paths, making every request susceptible to exploitation.

The technical implementation of this vulnerability involves the use of nested quantifiers within Perl Compatible Regular Expressions, a construct that has been widely documented as prone to catastrophic backtracking attacks. The specific pattern (/.) combined with the /:params placeholder and CLI router creates an environment where repeated slashes followed by decoded newlines can cause exponential backtracking during pattern matching operations. This behavior aligns with CWE-623, which specifically addresses the use of regular expressions that are vulnerable to catastrophic backtracking due to nested quantifiers. The vulnerability operates at the core of the framework's request processing pipeline, making it particularly dangerous as it affects all MVC applications using the default router configuration without requiring any special setup or conditions.

The operational impact of this vulnerability extends beyond simple denial of service scenarios, potentially affecting system availability and resource consumption across all affected Phalcon applications. When an attacker crafts malicious URIs with repeated slashes and decoded newlines, the routing mechanism becomes overwhelmed with backtracking operations that consume excessive CPU cycles, leading to potential system exhaustion or complete route-matching failures. This attack vector can be exploited by any user who has access to send HTTP requests to the vulnerable application, making it particularly dangerous in production environments where applications may be exposed to untrusted input. The vulnerability affects both web and CLI routing contexts, amplifying its impact across different application deployment scenarios.

The mitigation for this vulnerability requires upgrading to Phalcon version 5.15.0 or later, which includes patches that eliminate the problematic nested quantifier patterns in the default router configuration. Organizations should also implement additional defensive measures including input validation and sanitization of URI paths, rate limiting mechanisms, and monitoring for unusual request patterns that might indicate exploitation attempts. From an ATT&CK framework perspective, this vulnerability maps to T1071.004 (Application Layer Protocol: DNS) and T1496 (Resource Hijacking) as it can be used to consume system resources through malformed input processing. Security teams should also consider implementing web application firewalls that can detect and block suspicious URI patterns, particularly those containing repeated slashes or unusual encoding sequences that may trigger the backtracking behavior.

Responsible

GitHub M

Reservation

06/24/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!