Security Notification

The security bug described here is actually not in Flow but in the PECL PHP yaml extension in conjunction with Flow

Component Type: PECL YAML parser
Vulnerability Type: remote code execution
Severity: low
Affected Versions: All Flow versions
Suggested CVSS: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N/E:H/RL:W/RC:C 
CVE: n/a

No exploit is known yet, and there is no way to exploit it in a default Flow or Neos installation as you would have to have access to the filesystem to do so. Therefore the severity is low and we don't plan a bugfix from our side, see below for checking if you are affected and how to mitigate the problem.

Due to PHP object deserialisation enabled by default an attacker with access to modify YAML files could possibly create PHP objects.

See also

See also this PHP bug report:

Am I affected?

  • Do you use the PECL YAML PHP extension? if no, you are not affected.
  • Did you already disable object deserialisation? If you disabled it, you are not affected.

To test if you are affected you can run the following code which will either print "affected!" or "not affected" depending on the status of your system:

$affected = extension_loaded('yaml') && ini_get('yaml.decode_php');
echo ($affected ? 'affected!' : 'not affected');

Fixing the Issue

To fix the issue, you can either disable the PHP extension completely or set the following configuration setting in your php.ini to disable object deserialisation:

yaml.decode_php = 0

See for more information abut this setting. 

Getting Help

In case you are unsure about the issue, don't hesitate to contact the Neos team on Slack (#flow-general) or through the other communication channels!