{"id":"CVE-2018-15503","details":"The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a SEGV.","modified":"2026-04-11T11:39:43.620527Z","published":"2018-08-18T02:29:01.903Z","references":[{"type":"ADVISORY","url":"https://x-c3ll.github.io/posts/swoole-deserialization-cve-2018-15503/"},{"type":"REPORT","url":"https://github.com/swoole/swoole-src/issues/1882"},{"type":"FIX","url":"https://github.com/swoole/swoole-src/commit/4cdbce5d9bf2fe596bb6acd7d6611f9e8c253a76"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/swoole/swoole-src","events":[{"introduced":"0"},{"last_affected":"45d5548b4694c5a12cbf2791f783345dc649248f"},{"fixed":"4cdbce5d9bf2fe596bb6acd7d6611f9e8c253a76"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.0.4"}]}}],"versions":["1.8.10-stable","1.8.11-alpha","1.8.11-beta","1.8.6-rc4","1.8.6-stable","1.8.7-rc1","1.8.7-stable","1.8.8-alpha","1.8.8-beta","1.8.8-rc1","1.8.8-stable","1.8.9-alpha","1.8.9-beta","1.8.9-rc1","1.8.9-stable","swoole-1.5.0","swoole-1.5.1","swoole-1.5.2","swoole-1.5.3","swoole-1.5.4","swoole-1.5.5","swoole-1.5.6","swoole-1.5.7","swoole-1.5.8","swoole-1.5.9","swoole-1.5.9b","swoole-1.6.0","swoole-1.6.1","swoole-1.6.10","swoole-1.6.11-alpha","swoole-1.6.11-beta","swoole-1.6.11-stable","swoole-1.6.12-alpha","swoole-1.6.12-beta","swoole-1.6.12-stable","swoole-1.6.2","swoole-1.6.3","swoole-1.6.4","swoole-1.6.5","swoole-1.6.6","swoole-1.6.7","swoole-1.6.7-for-MacOS","swoole-1.6.8","swoole-1.6.9","swoole-1.7.0-alpha","swoole-1.7.0-stable","swoole-1.7.1-alpha","swoole-1.7.1-beta","swoole-1.7.1-stable","swoole-1.7.10-alpha","swoole-1.7.10-beta","swoole-1.7.10-for-ARM","swoole-1.7.10-rc1","swoole-1.7.10-rc2","swoole-1.7.10-rc3","swoole-1.7.10-rc4","swoole-1.7.10-rc5","swoole-1.7.10-stable","swoole-1.7.11-alpha","swoole-1.7.11-beta","swoole-1.7.11-rc1","swoole-1.7.11-rc2","swoole-1.7.11-stable","swoole-1.7.12-alpha","swoole-1.7.12-stable","swoole-1.7.13-alpha","swoole-1.7.13-beta","swoole-1.7.13-rc1","swoole-1.7.13-rc2","swoole-1.7.13-stable","swoole-1.7.14-alpha","swoole-1.7.14-beta","swoole-1.7.14-rc1","swoole-1.7.14-rc2","swoole-1.7.14-stable","swoole-1.7.15-alpha","swoole-1.7.15-beta","swoole-1.7.15-rc1","swoole-1.7.15-rc2","swoole-1.7.15-rc3","swoole-1.7.15-stable","swoole-1.7.16-alpha","swoole-1.7.16-beta","swoole-1.7.16-stable","swoole-1.7.17-beta","swoole-1.7.17-rc1","swoole-1.7.17-stable","swoole-1.7.18-alpha","swoole-1.7.18-beta","swoole-1.7.18-rc1","swoole-1.7.18-rc2","swoole-1.7.18-stable","swoole-1.7.19-alpha","swoole-1.7.19-beta","swoole-1.7.19-rc1","swoole-1.7.19-rc2","swoole-1.7.19-stable","swoole-1.7.2-alpha","swoole-1.7.2-beta","swoole-1.7.2-stable","swoole-1.7.20-alpha","swoole-1.7.20-beta","swoole-1.7.20-stable","swoole-1.7.21-alpha","swoole-1.7.21-beta","swoole-1.7.21-stable","swoole-1.7.22-alpha","swoole-1.7.22-beta","swoole-1.7.22-rc1","swoole-1.7.22-rc2","swoole-1.7.22-stable","swoole-1.7.3-alpha","swoole-1.7.3-beta","swoole-1.7.3-beta-2","swoole-1.7.3-stable","swoole-1.7.4-alpha","swoole-1.7.4-beta","swoole-1.7.4-stable","swoole-1.7.5-RC1","swoole-1.7.5-RC2","swoole-1.7.5-alpha","swoole-1.7.5-beta","swoole-1.7.5-stable","swoole-1.7.6-RC1","swoole-1.7.6-alpha","swoole-1.7.6-beta","swoole-1.7.6-stable","swoole-1.7.7-RC2","swoole-1.7.7-RC3","swoole-1.7.7-alpha","swoole-1.7.7-beta","swoole-1.7.7-stable","swoole-1.7.8-RC1","swoole-1.7.8-RC2","swoole-1.7.8-alpha","swoole-1.7.8-beta","swoole-1.7.8-stable","swoole-1.7.9-alpha","swoole-1.7.9-beta","swoole-1.7.9-rc1","swoole-1.7.9-rc2","swoole-1.7.9-rc3","swoole-1.7.9-stable","swoole-1.8.0-alpha","swoole-1.8.0-beta","swoole-1.8.0-rc2","swoole-1.8.0-stable","swoole-1.8.1-alpha","swoole-1.8.1-beta","swoole-1.8.1-stable","swoole-1.8.2-alpha","swoole-1.8.2-beta","swoole-1.8.2-rc1","swoole-1.8.2-rc2","swoole-1.8.2-stable","swoole-1.8.3-alpha","swoole-1.8.3-beta","swoole-1.8.3-rc1","swoole-1.8.3-rc2","swoole-1.8.3-stable","swoole-1.8.4-alpha","swoole-1.8.4-beta","swoole-1.8.4-rc1","swoole-1.8.4-stable","swoole-1.8.5-alpha","swoole-1.8.5-beta","swoole-1.8.5-rc1","swoole-1.8.5-rc2","swoole-1.8.5-stable","swoole-1.8.6-alpha","swoole-1.8.6-beta","swoole-1.8.6-rc1","swoole-1.8.6-rc2","swoole-1.8.6-rc3","swoole-1.8.7-alpha","swoole-1.8.7-beta","v1.3.1","v1.3release","v1.4.0","v1.4.1","v1.4.2","v1.8.14-alpha","v1.9.0-alpha","v1.9.0-beta","v1.9.0-rc1","v1.9.0-stable","v1.9.1-alpha","v1.9.1-beta","v1.9.1-rc1","v1.9.1-stable","v1.9.10","v1.9.11","v1.9.12","v1.9.13","v1.9.14","v1.9.15","v1.9.17","v1.9.18","v1.9.19","v1.9.2-alpha","v1.9.2-stable","v1.9.21","v1.9.22","v1.9.23","v1.9.3-stable","v1.9.4","v1.9.5","v1.9.6","v1.9.7","v1.9.8","v1.9.9","v2.0.11","v2.0.12","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v3.0.0-alpha","v4.0.0","v4.0.0-rc1","v4.0.1","v4.0.2","v4.0.3","v4.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-15503.json","vanir_signatures":[{"id":"CVE-2018-15503-6eed4cf2","target":{"file":"swoole_serialize.c"},"source":"https://github.com/swoole/swoole-src/commit/4cdbce5d9bf2fe596bb6acd7d6611f9e8c253a76","deprecated":false,"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["27327491658145454191183675913643776429","148048807536482572215586536771339738588","283056574427884682559347186794914941418","213249443360257041689340304519941112868","318211189092762964607899582701197996941","325586135594676032070933732792265352364","60250848877633725423467952236233047961","193928308526599799562657054746859178398","290215068655936449849315935681529697390","138322607239213698195144770483271216372","107502444112180363988132374369772254753","100729956685838176420296933823721269024","238727235480119949518621090597555073344","241349047050587373507823947572682297638","78658625519362234703748523435312838803","272802496951304390691776853666002928819","320511055104847322128622315090697391152","201473792045770936698260223075276746956","23573621074776207803669741844438332217","14051873899177502666652206406504449282","129917739313696490973588035350260901877","48388560018899975588189046785252654529","261901743359053347146790267173023104987","307644484239422863601471837353275368912","176332053495123133507309196490829896605","323589299298277861054358827003843347974","28547117671666146593711377468577478431","171333452854614614648488981435552391449","334395012224011817425370836445045078535","26111335624330013360521534319313497519","266821887424731514123034154167411288515","25447854650120164534391751663801069979","327234130101062182132427137447014610783","159079352578140155719879666040575442732","56641894742932420552591561377705977110","152912504076660897336789472398717619022","33906086985070029895642435956578985079","230097608567604611718010811238591773295","283232720140953370980512360494506939622","188068747475457696627226028899988535556","321509063608130991665151037753226722147","302949476307151174658676864277013884656","317991733007872837764271201616247537332","141768626499739944874964223599756327275","103513362096957724745752878078729772662","165720724189363332595105183712098095657","213669649980921230164748039476807524078","278848706141794982063792174636189529544","83464867095809643361568066103600843157","99155559758259427326448968642695258977","133536398020341505954534705639892918817","295254574363935325581513836999733578835","203136309299955687542531606834298261261","28351150684673421230011221202913902551","105213459459570488306833114628324582823","150393883604825164261125322830224564432","7322178836093550152217245921517121601","208555204237619035409437617326673453382","69980791114788433178778901064012690845","111582348291770140753196794814080666974","182842265259205944363665646648920181649","142031272278059470626236525227376139855","146365932269968186626338745068982218388","297840103747106103489247109123754561034","15563753485887060882806852773665310102","204958722603496130489783024501384446657","52952650195088612365759691771035869222","289737150032685633002567751935030688566","294603045187479088122863961876354866468","255403995450770575122846272910852398748","20559693802094135355274655986531866153","40494958459989259073120009719054271166","21695092667311571725913497271549289127","200202199171036848171812577072777966837","243057938335440837846554953894876672073","239421360128750571614283472190588109249","145860006630588336152315330130957040034","204005586689554083245857935146798685820","167015424144793724895002381029642619492","218435309553503918082886926695327921477","87949967545735998827221793577691630035","172936496441426647203921872944039142492","164267180215824700930871996614690917122","131556727908386932494181408771695405806","271627373123688872534993878325267034228","18364144360704496106071289164749629822","26676772014427311647508812586048365181","339014513781378484133674874511558397878","76011477818279422107665507817830027754","33969356981804966307708670647616806805","308648868682388008881526641693864311327","240336815238153821223253112225200513380","183426384361946385474998866494890955479","253020265647369308575475026557585160446","217507894517799465948790320424585067027","154650079309687025265711702369329916300","224966538183654662635547846678170495540","153266905823553643692493609271176621560","146725461065721510000280617900680856366","4229462487597641839469268384344992101","53717912032287449548674700205159532859","48021297176697479224559806049979980360","303947384015353139543437970395630434309","280356914673185159874168905764325576218","192254923037187130481602185671254937903","99999582607575932425425703254378837543","309706439792041737141289277193048449921","324748200011652523415297010377685851577","211811574193521626578506715468106834156","260149460405364405285219849237153422697","226884959753414229757505685733062883085","186948627384224449206655777720868819784","38810970074185088631695875232190053790","27478797108306352467018482344266443329","304022615912595311752183980058035205701","149733089642629124580782758979305825381","65613085247483612926573864999451422540","287367316625471749782398696303580357976","46222446102890343579882219450402325543","217751011054620762328976154385889607211","223674990117998315544811432133763514393","301632747045236765709829602257048062176","317971202453778553466141153584909822225","187251091696734224064650643454611184125","76029178714483655219853895106846785373","38744611620166088143246250994298655398","52897369843780487064679246906830909193","251047019546816087681699781443042620198","178750544375494593575796502520157044375","317822795472935949728264787005721104550","235670051893760636286794743993557747677","144511123968619370157539121928235807758","333074141710635353878506192750459148821","17796315904687122028133488608343116889","259392448332287048425503879140271109699","226503316293263377468231564785337444419","263096118317057747137590189610829072104","101183740133082148148942903016268110466","37194199808753995600750662872922213834","243871890968892327296449964767250524638","152805933660972115938685077011252904300","259336958830447301668384249554204296132","239932998423781011822415815175999028881","159524618340104038336147638933635191576","223146673687394241126074151815243409886","165364225576327166500434532982342313204","259336958830447301668384249554204296132","239932998423781011822415815175999028881","159524618340104038336147638933635191576","97235824124646500755070299067597799344"]}},{"id":"CVE-2018-15503-8c035274","target":{"function":"php_swoole_unserialize","file":"swoole_serialize.c"},"source":"https://github.com/swoole/swoole-src/commit/4cdbce5d9bf2fe596bb6acd7d6611f9e8c253a76","deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"length":1361,"function_hash":"269618928546804415795011286133509488357"}},{"id":"CVE-2018-15503-dcc8d327","target":{"function":"swoole_unserialize_object","file":"swoole_serialize.c"},"source":"https://github.com/swoole/swoole-src/commit/4cdbce5d9bf2fe596bb6acd7d6611f9e8c253a76","deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"length":1598,"function_hash":"297101157815826533612672663763451683258"}},{"id":"CVE-2018-15503-f8bc6d1f","target":{"function":"swoole_unserialize_arr","file":"swoole_serialize.c"},"source":"https://github.com/swoole/swoole-src/commit/4cdbce5d9bf2fe596bb6acd7d6611f9e8c253a76","deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"length":3756,"function_hash":"308964144600458560027825076945430563540"}}],"vanir_signatures_modified":"2026-04-11T11:39:43Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}