PHP, third party libraries, and CVEs

Please enjoy my harrowing tale:

I ran a scan and it popped up suggesting nghttp2.dll that is packaged with Windows PHP is vulnerable to CVE-2020-11080.

Alright, no problem, I’ll just update PHP. Ah, no, the latest one is still using nghttp2 1.40.

Okay, let’s see if PHP has addressed this themselves by building their own version. Hm, can’t find the source anywhere. When you go to PHP: internals:windows:stepbystepbuild_sdk_2 it directs you to GitHub - microsoft/php-sdk-binary-tools: Tool kit for building PHP under Windows which appears to have no releases for the past two years. If you download the latest release, you get version 1.32. That can’t be right.

Let’s see the old documentation here:

Alright if I follow this rabbit hole I get here: which again has version 1.40. So the old documentation leads me to the newer dll? Cool.

Okay so this is frustrating. Where did PHP get this dll from? If I go to nghttp2 directly and get the 1.40 source and build it, my dll is different from the PHP version.

So where is PHP’s source for this dll? Is it vulnerable to the CVE? How do I know? Why hasn’t PHP upgraded it?

Do you have a reason to use Windows-PHP? It is seldom used by professionals in my humble opinion.
Most use the more standard Apache version. For local testing, just install Wamp which includes Apache, MySQL, PHP and other libraries already to go. And, it is all contained inside one folder so it is easy to back up. Windows, meaning Microsoft, tracks everything, so I dislike using it.

CVE is basically a Denile-Of-Service attack. Here is Microsoft’s page on it and a list of fixes and updates. You might want to see if these fix it. Good luck!

We’re about a decade too late to reverse that decision. And the CVE is CVE-2020-11080 CVE - CVE-2020-11080

I just don’t know how to determine if PHP is vulnerable.

Well, did you READ the page I posted OR the last one you posted? Both say that you need to be using nghttp2 v1.41.0… If you are using one version less that 1.41.0 then you are vulnerable. Locate where your nghttp2 is setting, right-click on it and check it’s properties. See which version it is. Update it to at least 1.41.0…

Also, you can check the others in the list of 98 items on the Microsoft page and make sure those are up to date.

No, your link is to the wrong CVE. And yes I know the CVE is against 1.40, but that’s the one that PHP delivers with PHP Windows. That is how I got here. I am trying to figure out if PHP modified their version to fix it, if they don’t think they are vulnerable to it, or if they simply don’t know about it.

Well, Windows PHP is not created by PHP. It is created by Microsoft. And, they are discontinuing their PHP. So, this is a bit of a mute discussion. But, you can update the nghttp2 version yourself if needed.

Microsoft isn’t building PHP anymore. But PHP for Windows is not going anywhere.

PHP for Windows using Apache is NOT Windows-PHP…

You can still install PHP 8.0 on IIS despite Microsoft dropping support for it. Nothing has changed.

You keep saying nonsense. PHP installed on anything is NOT Windows-PHP. They are two different things. One based on Apache and Zend and the other Microsoft. I am not arguing with you. It is still PHP, but, you were talking about nghttp2.dll. We covered that.

****** EDIT *****
nghttp2.dll is NOT on any of my four PHP systems and it is NOT a Microsoft product.
It is found at: And, you can update your old versions there.
Since this was fixed three or more versions ago, it should not be an issue. Just update your
version to at least 1.41 and you should be all set. Again, sorry, if you were not clear that you
are discussing something no longer a problem. And, sorry if I offended you. It was not meant that way!

You called [the thing that requires nghttp2.dll] “Windows PHP”.
I was referring to Windows PHP as the thing you download at
Microsoft said they were going to stop providing the builds for it after 7.4.
If you go to, you can download 8.0.8, which is beyond Microsoft’s support AND contains nghttp2.dll.

I don’t know where your confusion is. It exists. It requires nghttp2.dll. It is not going away.

This is my last comment on this. Microsoft is not making any more builds of it. Therefore, it will go away at some point. Nobody uses PHP 3 anymore. PHP 8 will go away, too. If you have a problem with nghttp2, make sure it is at ;east version 1.41 and you are safe. Good night.

Just for anybody who ends up here via Google: Ernie is just plain wrong. PHP for Windows is NOT going away. It already has 8 builds beyond Microsoft’s support.

Well, as it is open-source, it will continue as long as someone makes builds.
But, not supported by Microsoft. So, who knows who is making the builds.

Sponsor our Newsletter | Privacy Policy | Terms of Service