GCVE - cpe:2.3:a:facebook:hiphop_virtual_machine:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:facebook:hiphop_virtual_machine:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Facebook (`c319c35a-3469-5baa-b3bd-8582d1206a92`)
Product	Hiphop Virtual Machine (`792993b6-e98e-5fa3-b7c2-4c8d30e52745`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/ubuntu/hhvm`	purl2cpe	2026-06-01 10:11:43.150874
`pkg:github/facebook/hhvm`	purl2cpe	2026-06-01 10:11:43.150877
`pkg:rpm/opensuse/hhvm`	purl2cpe	2026-06-01 10:11:43.150880
`pkg:sourceforge/hhvm.mirror`	purl2cpe	2026-06-01 10:11:43.150883

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2019-3570`	vulnerable	2026-06-03 14:40:26.598459	Details available Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an attacker for instance by providing the output of scrypt_enc() in a context where Hack/PHP code would attempt to verify it by re-running scrypt_enc() with the same parameters. This could result in information disclosure, memory being overwriten or crashes of the HHVM process. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series. Published: 2019-07-18T15:42:25.000Z Updated: 2024-08-04T19:12:09.495Z Open on db.gcve.eu Reference links https://github.com/facebook/hhvm/commit/cc331e4349e91706a673e2a09f1f2ea5bbb33815 https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-9714`	vulnerable	2026-06-03 14:34:28.105088	Details available Cross-site scripting (XSS) vulnerability in the WddxPacket::recursiveAddVar function in HHVM (aka the HipHop Virtual Machine) before 3.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted string to the wddx_serialize_value function. Published: 2015-04-13T14:00:00.000Z Updated: 2024-08-06T13:55:04.129Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/74061 https://phabricator.wikimedia.org/T85851 https://github.com/facebook/hhvm/commit/324701c9fd31beb4f070f1b7ef78b115fbdfec34 https://github.com/facebook/hhvm/issues/4283 http://www.openwall.com/lists/oss-security/2015/04/07/3	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-6229`	vulnerable	2026-06-03 14:34:13.157898	Details available The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string, and makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging truncation of a string containing an internal '\0' character. Published: 2014-12-28T15:00:00.000Z Updated: 2024-08-06T12:10:12.215Z Open on db.gcve.eu Reference links http://hhvm.com/blog/6239/hhvm-3-3-0 https://github.com/facebook/hhvm/commit/7135ec229882370a00411aa50030eada6034cc1b	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-6228`	vulnerable	2026-06-03 14:34:13.157486	Details available Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split function. Published: 2014-12-28T15:00:00.000Z Updated: 2024-08-06T12:10:12.990Z Open on db.gcve.eu Reference links https://github.com/facebook/hhvm/commit/1f91e076a585118495b976a413c1df40f6fd3d41	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-5386`	vulnerable	2026-06-03 14:34:06.295142	Details available The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initialization vector. Published: 2014-12-28T15:00:00.000Z Updated: 2024-08-06T11:41:49.092Z Open on db.gcve.eu Reference links https://github.com/facebook/hhvm/commit/ab6fdeb84fb090b48606b6f7933028cfe7bf3a5e	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-2209`	vulnerable	2026-06-03 14:33:50.009164	Details available Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory. Published: 2014-12-28T15:00:00.000Z Updated: 2024-08-06T10:06:00.247Z Open on db.gcve.eu Reference links https://github.com/facebook/hhvm/commit/851fff90a9b7461df2393af32239ba217bc25946	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-2208`	vulnerable	2026-06-03 14:33:50.008821	Details available CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string. Published: 2014-12-28T15:00:00.000Z Updated: 2024-08-06T10:06:00.272Z Open on db.gcve.eu Reference links https://github.com/facebook/hhvm/commit/506a44194a9016406c752ad8e010c01aeffc18cc	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.