CVE-2014-125127 | Denial of Service (DoS) vulnerability in mikecao/flight

Exp

The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.

Published: 2025-09-03 Last update: 2026-06-17 Assigner: 596c5446-0ce5-4ba2-aa66-48b3b757a647 Source: 596c5446-0ce5-4ba2-aa66-48b3b757a647

NVD Status：Analyzed，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2014-125127

EPSS CVSS CWE Exploit-DB Affected

Conclusion & alert: CVE-2014-125127 is rated Exploit Available (57/100): CVSS High severity, with low exploitation likelihood (EPSS 0.42%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2014-125127

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2014-125127

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.13%	0.42%	+0.29%
2	2026-05-30	0.16%	0.13%	-0.03%
3	2026-05-20	—	0.16%	—

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2014-125127

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	3.6	596c5446-0ce5-4ba2-aa66-48b3b757a647

Weakness enumeration for CVE-2014-125127

CWE-770 MITRE ↗

Affected software / configurations for CVE-2014-125127

Vendor	Product	Version	Raw CPE
flightphp	flight	< 1.2	cpe:2.3:a:flightphp:flight::::::php::*

References for CVE-2014-125127

URL	Tags
https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125127	Exploit Third Party Advisory
https://github.com/mikecao/flight/commit/da40e03eb4a39745107912dffe926a8fce0d38dc	Patch
https://github.com/mikecao/flight/pull/125	Issue Tracking

cvelogic Threat Intelligence