{"id":"CVE-2018-6345","details":"The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all supported versions of HHVM (3.30.1 and 3.27.5 and below).","modified":"2026-04-11T08:05:19.769599Z","published":"2019-01-15T22:29:00.250Z","references":[{"type":"ADVISORY","url":"https://hhvm.com/blog/2019/01/14/hhvm-3.30.2.html"},{"type":"FIX","url":"https://github.com/facebook/hhvm/commit/190ffdf6c8b1ec443be202c7d69e63a7e3da25e3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/hhvm","events":[{"introduced":"0"},{"last_affected":"677c11ec89757e02e8d6b89fdee2895a319323cf"},{"introduced":"f0ad4879d6bee987a31c543ee57cc69b3741416b"},{"last_affected":"9aeb7c20b1fb5284705b689090415c117ec87a0e"},{"fixed":"190ffdf6c8b1ec443be202c7d69e63a7e3da25e3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.27.5"},{"introduced":"3.28.0"},{"last_affected":"3.30.1"}]}}],"versions":["HHVM-3.27.0","HHVM-3.27.1","HHVM-3.27.2","HHVM-3.27.3","HHVM-3.27.4","HHVM-3.27.5","HHVM-3.30.0","HHVM-3.30.1","HPHP-2.1.0","gcc-4.6","pre-hhvm","src-hphp"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_type":"Function","id":"CVE-2018-6345-3ad5cf46","source":"https://github.com/facebook/hhvm/commit/190ffdf6c8b1ec443be202c7d69e63a7e3da25e3","digest":{"length":2073,"function_hash":"95256358020707706149980498970347218152"},"signature_version":"v1","target":{"function":"string_number_format","file":"hphp/runtime/base/zend-string.cpp"}},{"deprecated":false,"signature_type":"Line","id":"CVE-2018-6345-65f7d33b","source":"https://github.com/facebook/hhvm/commit/190ffdf6c8b1ec443be202c7d69e63a7e3da25e3","digest":{"line_hashes":["120448928775261171333816876248003924284","290830687089147216468533208881346715475","327620984512266839904410118598002568130","62121280727884383252454671421615411687","147159151230093668161659866324524529896","318187399451758695476112132875362274204","75308217060956838704125783808718071516","5372945335101579936913200712603807793"],"threshold":0.9},"signature_version":"v1","target":{"file":"hphp/runtime/base/zend-string.cpp"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-6345.json","vanir_signatures_modified":"2026-04-11T08:05:19Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}