FrankenPHP Files

This release fixes CVE-2026-45062 (high, CVSS 8.1): unsafe Unicode handling in CGI path splitting let an attacker have a non-.php file executed as PHP via a crafted URL, in any deployment where attacker-controlled file names land on the served filesystem. All users on v1.11.2 through v1.12.2 should upgrade.

It also brings a ~7-8% Hello World throughput bump from a refreshed PGO profile, configurable per-thread request limits, persistent-zval helpers for sharing state across threads, a cross-platform force-kill primitive for stuck PHP threads, correct SCRIPT_NAME / PHP_SELF / PATH_INFO server variables, and a long series of frankenphp extension-init (extgen) generator fixes by @alexandre-daubois.

Released binaries now carry SLSA build-provenance attestations — verify with gh attestation verify <binary> --owner php or gh attestation verify oci://docker.io/dunglas/frankenphp@sha256:... --owner php.

🔒 Security

• Unsafe Unicode handling in CGI path splitting allowed execution of non-PHP files (GHSA-3g8v-8r37-cgjm / CVE-2026-45062). Reported by @KC1zs4.

🚀 Features

• Configurable max_requests for PHP threads by @nicolas-grekas in #2292
• Persistent-zval helpers (deep-copy zval trees across threads) by @nicolas-grekas in #2366
• Cross-platform force-kill primitive for stuck PHP threads by @nicolas-grekas in #2365
• Release binaries now ship with SLSA build-provenance attestations by @dunglas in #2418

🐛 Fixes

• Set $_SERVER variables SCRIPT_NAME, PHP_SELF, and PATH_INFO correctly by @henderkes in #2317
• Fix dead forked pthread_fork children by @henderkes in #2332
• Fix upstream BC break on INI_INT() macro by @zeriyoshi in #2387
• Caddy: reject invalid split_path at provision time by @alexandre-daubois in #2350
• extgen parser hardening by @alexandre-daubois: better error handling (#2370), emit warnings to stderr (#2374), reset iota per const block (#2375), escape control chars in C string literals (#2377), extract Go function bodies via go/ast (#2379), symmetric Go type compatibility check (#2380)

⚡ Performance and Internal Improvements

• Use PGO to improve FrankenPHP's Go performance (7-8% Hello World throughput) by @henderkes in #2361
• perf(extgen): hoist const block regexes out of parser loop by @alexandre-daubois in #2378
• refactor: add drain() seam to threadHandler interface by @nicolas-grekas in #2367
• refactor(extgen): share signature and parameter parsing helpers by @alexandre-daubois in #2376

📝 Documentation

• Improve worker docs, add internals docs by @dunglas in #2334
• Add SEO frontmatter, llms.txt, and code-block hygiene by @dunglas in #2394
• Fix migration guide menu entry by @alexandre-daubois in #2373
• Adjust volume mount path in migrate.md by @francislavoie in #2337
• Fix Laravel trusted proxies URL by @mtmn in #2359
• Update wording in extensions documentation by @SpencerMalone in #2338

💖 New Contributors

• @zeriyoshi made their first contribution in #2387
• @mtmn made their first contribution in #2359

Need help adopting FrankenPHP, hardening a PHP application against issues like CVE-2026-45062, or squeezing more performance out of your workers? Les-Tilleuls.coop — the team behind FrankenPHP — provides professional support, consulting, custom development, and training. Get in touch: contact@les-tilleuls.coop.

Full Changelog: https://github.com/php/frankenphp/compare/v1.12.2...v1.12.3