{"id":64859,"date":"2026-06-22T14:36:18","date_gmt":"2026-06-22T14:36:18","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=64859"},"modified":"2026-06-22T14:36:18","modified_gmt":"2026-06-22T14:36:18","slug":"php-857-domxmlserializationalgorithm-stack-overflow","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=64859","title":{"rendered":"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962"},"content":{"rendered":"

{“lastseen”:”2026-06-22T18:40:33″,”description”:”PHP version 8.5.7 suffers from a stack overflow vulnerability due to unbounded recursion in domxmlserializationalgorithm and domxmlserializeelementnode…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow”,”source”:””,”references”:””,”id”:”PACKETSTORM:223962″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# PHP 8.5.7 `dom_xml_serialization_algorithm()` stack-overflow\\n \\n **Author:** Khashayar Fereidani\\n **Disclosure Date:** 2026-06-18\\n **Advisory:** https:\/\/fereidani.com\/php-857-domxmlserializationalgorithm-stack-overflow\\n **Contact:** https:\/\/fereidani.com\/contact\\n \\n ## Description\\n \\n The `dom_xml_serialization_algorithm()` and\\n `dom_xml_serialize_element_node()` functions in\\n `ext\/dom\/xml_serializer.c` rely on unbounded recursion to serialize\\n XML nodes. When serializing a deeply nested XML tree, the continuous\\n recursive calls exhaust the thread’s stack space, causing a\\n segmentation fault (SIGSEGV). This issue can be triggered via\\n `Dom\\\\XMLDocument::saveXml()` or by accessing the `$innerHTML` \/\\n `$outerHTML` properties of `Dom\\\\XMLDocument` elements. Note that\\n `Dom\\\\HTMLDocument` uses an iterative approach and is unaffected.\\n \\n ## Proof of concept\\n \\n “`php\\n \\u003c?php\\n \/\/ A stack overflow occurs due to unbounded recursion in\\n \/\/ dom_xml_serialization_algorithm() and dom_xml_serialize_element_node()\\n \/\/ within ext\/dom\/xml_serializer.c (introduced in PHP 8.4\/8.5).\\n \/\/ The file’s own TODO at line 41 notes:\\n \/\/ \\”TODO: implement iterative approach instead of recursive?\\”.\\n \/\/\\n \/\/ Under the default 8MB thread stack, serializing a deeply nested XML\\n \/\/ tree crashes PHP with a SIGSEGV (139). Running with `ulimit -s unlimited`\\n \/\/ prevents the crash, proving it is stack exhaustion rather than a logic bug.\\n \/\/\\n \/\/ The vulnerability is reachable via Dom\\\\XMLDocument::saveXml()\\n \/\/ and the $innerHTML \/ $outerHTML properties of Dom\\\\XMLDocument elements.\\n \/\/ Note that Dom\\\\HTMLDocument is unaffected, as its HTML5 serializer\\n \/\/ (dom_html5_serialize_node) is iterative.\\n \\n $document = Dom\\\\XMLDocument::createEmpty();\\n $root = $document-\\u003ecreateElement(‘root’);\\n $document-\\u003eappendChild($root);\\n \\n $current = $root;\\n \\n \/\/ This loop creates a deeply nested tree.\\n \/\/ It crashes under the default stack limit but succeeds with `ulimit\\n -s unlimited`.\\n for ($i = 0; $i \\u003c 25000; $i++) {\\n $element = $document-\\u003ecreateElement(‘e’);\\n $current-\\u003eappendChild($element);\\n $current = $element;\\n }\\n \\n \/\/ This line is never reached under the default stack limit.\\n var_dump(strlen(@$document-\\u003esaveXml()));\\n “`\\n \\n Running the script results in:\\n \\n “`bash\\n Segmentation fault (core dumped) php poc.php\\n “`\\n \\n ## Impact\\n \\n An attacker could cause a Denial of Service (DoS) by providing a\\n maliciously crafted, deeply nested XML document. If the application\\n processes and attempts to serialize this untrusted structure, the PHP\\n process will abruptly crash due to stack exhaustion.\\n \\n ## Solution\\n \\n Refactor the serialization algorithm in `ext\/dom\/xml_serializer.c` to\\n use an iterative approach rather than unbounded recursion. A `TODO`\\n comment already exists in the file at line 41 (\\”TODO: implement\\n iterative approach instead of recursive?\\”). Alternatively, enforcing a\\n hard limit on DOM nesting depth during creation and parsing could\\n mitigate the exploitability.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223962″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223962\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-06-22T18:40:33″,”description”:”PHP version 8.5.7 suffers from a stack overflow vulnerability due to unbounded recursion in domxmlserializationalgorithm and domxmlserializeelementnode…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow”,”source”:””,”references”:””,”id”:”PACKETSTORM:223962″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# PHP 8.5.7 `dom_xml_serialization_algorithm()`…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-64859","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=64859\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-06-22T18:40:33″,”description”:”PHP version 8.5.7 suffers from a stack overflow vulnerability due to unbounded recursion in domxmlserializationalgorithm and domxmlserializeelementnode…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow”,”source”:””,”references”:””,”id”:”PACKETSTORM:223962″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# PHP 8.5.7 `dom_xml_serialization_algorithm()`...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=64859\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-22T14:36:18+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64859#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64859\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962\",\"datePublished\":\"2026-06-22T14:36:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64859\"},\"wordCount\":597,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=64859#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64859\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64859\",\"name\":\"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-22T14:36:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64859#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=64859\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=64859#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=64859","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962 - zero redgem","og_description":"{“lastseen”:”2026-06-22T18:40:33″,”description”:”PHP version 8.5.7 suffers from a stack overflow vulnerability due to unbounded recursion in domxmlserializationalgorithm and domxmlserializeelementnode…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow”,”source”:””,”references”:””,”id”:”PACKETSTORM:223962″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# PHP 8.5.7 `dom_xml_serialization_algorithm()`...","og_url":"https:\/\/zero.redgem.net\/?p=64859","og_site_name":"zero redgem","article_published_time":"2026-06-22T14:36:18+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=64859#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=64859"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962","datePublished":"2026-06-22T14:36:18+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=64859"},"wordCount":597,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=64859#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=64859","url":"https:\/\/zero.redgem.net\/?p=64859","name":"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-22T14:36:18+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=64859#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=64859"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=64859#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 PHP 8.5.7 dom_xml_serialization_algorithm() Stack Overflow_PACKETSTORM:223962"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/64859","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=64859"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/64859\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=64859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=64859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=64859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}