The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data. Upstream bug: https://bugs.php.net/bug.php?id=73257 Upstream patch: https://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4 External References: http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/
This issue happens when untrusted input is being unserialized which is documented as being insecure. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Consider using safe, standard data interchange format such as JSON.