CVE-2026-37552

CVE-2026-37552 is an unsafe deserialization vulnerability (CWE-502) affecting MixPHP Framework versions 2.x through 2.2.17. The issue resides in the sync-invoke TCP server implemented in Server.php at line 87, where data received from a TCP socket is directly passed to Opis\Closure\unserialize() and then executed via call_user_func(). No authentication or signature verification is performed on the incoming TCP connection, which binds exclusively to 127.0.0.1. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise.

An attacker requires local access to the TCP port on the target host (localhost only) to exploit this flaw. By sending a crafted serialized PHP closure over the TCP connection, the attacker can trigger arbitrary code execution with the privileges of the server process. This local attack vector assumes the adversary has already gained some foothold on the system, such as through another vulnerability or misconfiguration, enabling them to connect to the loopback interface and execute malicious payloads without user interaction or privileges.

References for further details include a GitHub Gist at https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975 (likely containing a proof-of-concept), the main MixPHP repository at https://github.com/mix-php/mix, and the vulnerable Server.php source at https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php. No specific patch or mitigation guidance is detailed in the provided CVE information.