PHP-FPM Local Root Vulnerability

10-Year-Old PHP-FPM Local Privilege Escalation Vulnerability Discovered

The vulnerability allows a low-privilege user to escalate his privileges to root using a bug in PHP-FPM.

PHP is one of the most commonly used programming languages on the planet. As you know it is a programming language originally designed for use in web-based applications with HTML content.

PHP powers 78.4% of the web, including popular content management systems like WordPress, Drupal, and Joomla. The main reason behind this is PHP’s open-source nature, lightweight structure, and developer-friendly yet powerful features. 

Security researchers are warning that a PHP-FPM local privilege escalation vulnerability impacting PHP could put millions of websites at risk. The vulnerability allows the root FPM process to read/write at arbitrary locations using pointers located in the SHM (Shared memory), leading to a privilege escalation from www-data to root. And this has been present for 10 years.

Related: How to Configure Nginx to Work with PHP via PHP-FPM

What are the affected PHP versions? This is possible in PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP-FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users.

Just for your information, here’s the percentage of PHP versions being used worldwide as of July, 2021.

PHP versions usage as of July, 2021

If you’re wondering if you are vulnerable, here’s the answer. If you are using Apache and PHP, you might be using PHP-FPM. To be sure, you need to check on your server if Apache runs PHP as a module or via PHP-FPM. However if you’re using NGINX and PHP, you are using PHP-FPM. Therefore you are vulnerable.

Luckily this vulnerability was fixed in PHP’s versions 8.0.12 and 7.4.25. So if you are running a version of PHP-FPM which is among those vulnerable, please update immediately to the highest version in your release branch.

Bobby Borisov
Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.


  1. The bug report, there wasn’t any explot provided. Just a bad imple.entation poined out and a theoretical scenario. However it has to be patched, indeed.

Leave a Reply

Your email address will not be published. Required fields are marked *