Hi,
Please see: https://bugs.php.net/bug.php?id=79465&edit=2
CVE is assigned (CVE-2020-7067)
Fixed in 7.4.5 Release: https://www.php.net/ChangeLog-7.php#7.4.5
A remote attacker might leak values from the memory by crafting a malicious url-encoded string into PHP’s urldecode()