Brian M. Carlson reported the following flaw in PHP: PHP uses the DJB "times 33" hash to hash strings in its hash tables, without the use of any secret key. Hash values are therefore the same between multiple invocations. As a result, it's trivial to precompute a set of values that all hash to the same bucket and cause positively abysmal performance. If a script accepts untrusted hash keys, such as from JSON input, it is subject to a DoS attack. PHP implemented the max_input_vars option, but this is not effective in the general case, especially in the era of JSON-laden POST requests. Perl, Python, and Ruby have all addressed their CVEs properly, but PHP has not and as a result is still vulnerable. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800564 Additional information: https://github.com/bk2204/php-hash-dos
Created php tracking bugs for this issue: Affects: fedora-all [bug 1269112]
Upstream bug report: https://bugs.php.net/bug.php?id=70644 Ways to fix this issue are still being investigated.
There is no activity on this upstream and it seems unlikely that it will be picked up any soon. Upstream strongly suggests validating all inputs via the PHP application before loading them into such data structures. (such as hash tables).