Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-x9p2-77v6-6vhf

FrankenPHP has delayed propagation of security fixes in upstream base images
Back to all
CVE

GHSA-x9p2-77v6-6vhf

FrankenPHP has delayed propagation of security fixes in upstream base images

Delayed propagation of security fixes in upstream base images

Summary

Vulnerability in base Docker images (PHP, Go, and Alpine) not automatically propagating to FrankenPHP images.

FrankenPHP's container images were previously built only when specific version tags were updated or when manual triggers were initiated. This meant that if an upstream base image (such as Alpine Linux or official PHP/Go images) received a security patch under an existing tag, the FrankenPHP image would remain on the older, vulnerable version of those base layers.

Impact

Users pulling FrankenPHP images may have been running environments with known vulnerabilities in underlying system libraries (e.g., libcrypto3) even if they were using the "latest" version of a specific FrankenPHP tag.

Specifically, this includes vulnerabilities recently patched in Alpine 3.20.9, 3.21.6, 3.22.3, and 3.23.3, such as CVE-2025-15467 (Remote Code Execution in libcrypto3).

Details

The issue was a lack of automated "staleness" detection in the CI/CD pipeline.

Unless explicitly told, our build server was building new Docker images only when a new tag for base images was created. However, base images such as Alpine, PHP, and Go usually overwrite existing Docker tags to apply security fixes, which wasn't triggering a new build on our side.

Patches

As of February 4, 2026, the CI/CD pipeline has been updated.

  • Automated Detection: A daily check is now performed to compare the digest of local base images against upstream registries.
  • Auto-Rebuild: If a change is detected in base images (even if the tag name remains the same), FrankenPHP images are automatically rebuilt and re-pushed.

Users are advised to pull the latest versions of their specific tags to receive these updates.

Workarounds

You can force a local rebuild of your environment using the --pull flag to ensure you are fetching the latest patched base layers:

docker pull dunglas/frankenphp:latest
## If building your own image based on FrankenPHP
docker build --pull -t my-app .

References

Credits

Thanks to Tim Nelles for reporting and fixing this issue.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/php/frankenphp/security/advisories/GHSA-x9p2-77v6-6vhf, https://github.com/php/frankenphp

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading