PHP object injection attack vulnerability in Slim.

https://github.com/slimphp/Slim/blob/master/Slim/Middleware/SessionCookie.php#L127 Generally, it’s a bad idea to blindly unserialize() user-controllable input. https://www.owasp.org/index.php/PHP_Object_Injection EDIT - for people who don’t want to read the whole thread: The SessionCookie class is not used by default, you have to actually write your application to use it. So this means that the unserialize() -> RCE possibility is only for the select few apps that explicitly use this feature. The default is the native session driver, which is of course not vulnerable. The text was updated successfully, but these errors were encountered: All reactions