PHP-FPM CVE-2019-11043: an RCE that depended on a copy-pasted nginx config
CVE-2019-11043 is a remote code execution bug in PHP-FPM, but it only fires on a specific nginx configuration, one that circulated widely in tutorials and got copy-pasted into production everywhere. The bug is in the code; the exposure came from a config snippet.
CVE-2019-11043 is a remote code execution vulnerability in PHP-FPM, the FastCGI process manager that serves PHP behind web servers like nginx. The bug itself is a buffer underflow in how PHP-FPM handles a crafted request path. But the reason it became a widespread, exploitable problem is a configuration detail: it only triggers on a particular nginx setup, one using a fastcgi_split_path_info regex with a try_files $uri =404 pattern, and that exact snippet circulated for years in popular tutorials and Stack Overflow answers, so it ended up copy-pasted into production on countless servers whose operators had no idea they’d inherited an RCE precondition. Found by researchers at a Real World CTF and detailed by Wallarm, it was weaponized quickly.
What the bug is
In the vulnerable configuration, an attacker sends a specially crafted URL that manipulates the PATH_INFO value PHP-FPM computes, driving a pointer underflow that lets the attacker write into FastCGI variables and ultimately inject and execute PHP code. The result is remote code execution as the web/PHP user. PHP fixed it in releases 7.1.33, 7.2.26, and 7.3.11; CISA added it with the ransomware flag after in-the-wild exploitation, including by cryptominers and webshell campaigns against the large population of nginx+PHP-FPM sites running the vulnerable config.
The lesson: configuration snippets are part of your attack surface
The interesting thing about CVE-2019-11043 is the delivery mechanism for the vulnerability, not the memory bug but the config that exposes it. A huge fraction of the affected servers were vulnerable because someone, somewhere, wrote an nginx config that worked, published it, and thousands of people copied it without understanding every directive. The dangerous line wasn’t obviously dangerous; it was a reasonable-looking way to route requests to PHP.
The general principle: copy-pasted configuration is unaudited code running in production. Web-server configs, especially the routing and FastCGI/proxy directives that decide how requests reach your application, deserve the same scrutiny as application code, because they shape the attack surface directly. When you adopt a config snippet from a tutorial, understand what each directive does, particularly anything touching path handling, request rewriting, and how the upstream is invoked. The convenient snippet that “just works” can carry an exposure the author never mentioned.
What to do
- Patch PHP to a fixed version (7.1.33, 7.2.26, 7.3.11, or later). The patch fixes the underlying underflow regardless of config, so it protects even vulnerable nginx setups.
- Audit your nginx + PHP-FPM configuration. Look for the
fastcgi_split_path_inforegex combined withtry_files $uri =404patterns and the path-info handling that the exploit abuses; harden or correct it. Even patched, a cleaner config reduces risk. - Assume compromise on long-exposed, unpatched servers. Public exploits have circulated since 2019. Hunt for web shells, the PHP/nginx worker spawning shells, and cryptominer processes.
- Treat infrastructure config as reviewable code. Put web-server and proxy configs in version control, review changes, and don’t deploy copy-pasted snippets you can’t fully explain.
The reframe is to widen “attack surface” to include the configuration glue between your components, not just the components themselves. CVE-2019-11043 was a PHP-FPM bug, but it spread on the back of a config pattern that everyone shared and nobody audited. Patch PHP, review the nginx directives that route requests to it, and treat the configs you copy from the internet with the same suspicion you’d give code you copy from the internet. We flag the config-dependent entries because they’re the bugs where the fix is partly a patch and partly understanding what your own server is set up to do.
Sources
Share
Related field notes
-
Laravel CVE-2021-3129: the RCE that only fires when debug mode is on in production
CVE-2021-3129 is unauthenticated remote code execution in Laravel's Ignition error page. It only works when APP_DEBUG is true, which should never be the case in production. Here's how to confirm debug mode is off everywhere, patch, and check whether you were hit.
-
Cisco's management and identity products keep showing up in the catalog
Smart Licensing Utility, Identity Services Engine, IOS XE, Catalyst SD-WAN Manager, Unified Communications Manager, a run of exploited Cisco bugs in 2024-2026, including a hardcoded credential and several unauthenticated RCEs. The management plane is the target.
-
Shitrix: the Citrix bug that taught everyone how fast a perimeter RCE goes from PoC to pandemic
CVE-2019-19781, 'Shitrix,' was a path-traversal RCE in Citrix NetScaler. After disclosure with no patch, a public exploit dropped and mass exploitation followed within days. It set the template for the NetScaler-as-target story that CitrixBleed later continued.
One email, every weekday morning.
You're in. Check your inbox.