GCVE - cpe:2.3:a:facebook:hhvm:4.61.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:facebook:hhvm:4.61.0:*:*:*:*:*:*:*

part: a version: 4.61.0 update: *

Vendor	Facebook (`c319c35a-3469-5baa-b3bd-8582d1206a92`)
Product	Hhvm (`f2db6c03-3315-587d-a49f-0af5739172b6`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/facebook/hhvm`	purl2cpe	2026-06-01 10:11:42.804159

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2020-1900`	vulnerable	2026-06-03 14:41:59.036981	Details available When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it. Otherwise the array might resize, invalidating previously stored references. This pre-reservation was not occurring in HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0. Published: 2021-03-11T00:55:20.000Z Updated: 2024-08-04T06:54:00.541Z Open on db.gcve.eu Reference links https://hhvm.com/blog/2020/06/30/security-update.html https://github.com/facebook/hhvm/commit/c1c4bb0cf9e076aafaf4ff3515556ef9faf906f3	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-1899`	vulnerable	2026-06-03 14:41:59.036439	Details available The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0. Published: 2021-03-11T00:55:19.000Z Updated: 2024-08-04T06:53:59.985Z Open on db.gcve.eu Reference links https://hhvm.com/blog/2020/06/30/security-update.html https://github.com/facebook/hhvm/commit/1107228a5128d3ca1c4add8ac1635d933cbbe2e9	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-1898`	vulnerable	2026-06-03 14:41:59.035330	Details available The fb_unserialize function did not impose a depth limit for nested deserialization. That meant a maliciously constructed string could cause deserialization to recurse, leading to stack exhaustion. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0, 4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0. Published: 2021-03-11T00:55:18.000Z Updated: 2024-08-04T06:53:59.646Z Open on db.gcve.eu Reference links https://hhvm.com/blog/2020/06/30/security-update.html https://github.com/facebook/hhvm/commit/1746dfb11fc0048366f34669e74318b8278a684c	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.