Introducing Reachability for PHP

Key Takeaways

• Socket.dev introduced experimental reachability analysis for PHP to help prioritize actionable CVEs and reduce alert fatigue.
• The analysis engine successfully handles complex PHP patterns like magic method dispatch (__call) and string-keyed service containers.
• Reachability analysis prevents false positives by determining if vulnerable code (e.g., CVE-2022-29248 in Guzzle) is actually executed by the application.
• The tool has been validated against major PHP frameworks like WordPress, Laravel, and Symfony with high accuracy.

Affected Systems

• PHP
• Composer
• WordPress
• Laravel
• Symfony
• guzzlehttp/guzzle
• twig/twig

Vulnerabilities (CVEs)

• CVE-2022-29248

Attack Chain

The article describes the execution flow of a vulnerable dependency rather than a malicious attack chain. In the provided example (CVE-2022-29248), an application creates a Guzzle Client with a CookieJar. The client pulls in a default handler stack, pushing cookie middleware. When the application sends a request, it dispatches through a chain of closures and promises, ultimately reaching the vulnerable sink CookieJar::extractCookies, which can leak Set-Cookie values across domains during a redirect.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Socket.dev

Detection of reachable vulnerabilities is provided via the Socket.dev platform and CLI using static reachability analysis.

Detection Engineering Assessment

EDR Visibility: None — This is a static code analysis tool feature, not an endpoint behavioral detection. Network Visibility: None — Static analysis of source code does not generate network traffic. Detection Difficulty: Moderate — Identifying reachable vulnerable code requires advanced static analysis tools capable of resolving complex PHP dispatch patterns.

Required Log Sources

• Source Code
• Dependency Manifests

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Applications using vulnerable versions of Guzzle with cookie middleware enabled may be susceptible to cross-domain cookie leakage.	Application Source Code / Dependency Scans	Initial Access	Low

Control Gaps

• Traditional Software Composition Analysis (SCA) tools that only check dependency versions without verifying code reachability.

Key Behavioral Indicators

• Presence of vulnerable dependencies (e.g., Guzzle) combined with code paths that actively invoke the vulnerable functions (e.g., CookieJar::extractCookies).

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Identify and patch applications using vulnerable versions of Guzzle (CVE-2022-29248) where cookie handling is enabled.

Infrastructure Hardening

• Implement reachability analysis tools to prioritize vulnerability remediation based on actual exploitability.

User Protection

• N/A

Security Awareness

• Educate development teams on the difference between vulnerable dependencies and reachable vulnerabilities to reduce alert fatigue.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application

Additional IOCs

• File Paths:
  • vendor/guzzlehttp/guzzle/src/Client.php - Guzzle client source file involved in the execution chain
  • vendor/guzzlehttp/guzzle/src/HandlerStack.php - Guzzle handler stack source file
  • src/NotificationService.php - Example application source file initiating the vulnerable call chain
  • src/RedirectMiddleware.php - Guzzle middleware source file shown in reachability evidence
• Command Lines:
  • Purpose: Initiate a full application reachability scan using the Socket CLI | Tools: socket | Stage: Discovery | socket scan create --reach