Download Latest Version
frankenphp-windows-x86_64.zip (57.3 MB)
Get an email when there's a new version of FrankenPHP
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| frankenphp-mac-x86_64 | 2026-06-04 | 185.4 MB | |
| frankenphp-mac-arm64 | 2026-06-04 | 175.5 MB | |
| frankenphp-linux-x86_64-gnu | 2026-06-04 | 165.0 MB | |
| frankenphp-linux-aarch64-gnu | 2026-06-04 | 158.5 MB | |
| frankenphp-linux-x86_64-mimalloc | 2026-06-04 | 167.6 MB | |
| frankenphp-linux-x86_64 | 2026-06-04 | 167.5 MB | |
| frankenphp-linux-aarch64 | 2026-06-04 | 163.0 MB | |
| frankenphp-linux-x86_64-debug | 2026-06-04 | 220.4 MB | |
| frankenphp-windows-x86_64.zip | 2026-06-04 | 57.3 MB | |
| README.md | 2026-06-03 | 4.2 kB | |
| v1.12.4 source code.tar.gz | 2026-06-03 | 4.0 MB | |
| v1.12.4 source code.zip | 2026-06-03 | 4.3 MB | |
| Totals: 12 Items | 1.5 GB | 4 | |
FrankenPHP 1.12.4 is a hardening and stability release. It pulls in upstream security fixes from Caddy 2.11.4 and Mercure 0.24.2, closes a class of HTTP header spoofing, and fixes several crashes and data races in worker mode. Every user should upgrade.
The headline is defense-in-depth against underscore-header spoofing. CGI maps dashes to underscores (Foo-Bar becomes HTTP_FOO_BAR), so a client-supplied Foo_Bar header is indistinguishable from a legitimate Foo-Bar in $_SERVER and can spoof any header an app or upstream proxy trusts (forwarded-for, auth, etc.). The bundled Caddy 2.11.4 now ignores header fields containing underscores at the server layer, and FrankenPHP documents the risk for code using the Go API directly.
🔒 Security & Hardening
- Underscore header spoofing blocked at the server layer. The bundled Caddy 2.11.4 now ignores HTTP header fields whose name contains an underscore, preventing collisions with the dash-to-underscore CGI mapping (reported by @Vincent550102, patched by @dunglas upstream).
NewRequestWithContextnow documents the risk for direct Go API users by @dunglas in #2460. - Caddy 2.11.4 security patches bundled: TLS client-auth fix, Windows backslash normalization in the path matcher, rewrite placeholder re-expansion fix, and a patch for GHSA-vcc4-2c75-vc9v. See the Caddy 2.11.4 release notes.
- Mercure 0.24.2 security hardening bundled for the Mercure Caddy module: SSE field injection via
id/type(CWE-93) now rejected, reserved/.well-known/mercuretopic forgery blocked,Last-Event-IDmetadata disclosure fixed, and DoS amplification caps added. See the Mercure 0.24.2 release notes. - Security model documentation describing FrankenPHP's trust boundaries and what qualifies as a security issue by @alexandre-daubois in #2455.
🐛 Fixes
- Fix
ext-parallelcrashes by correctly propagating the parent thread index viaSG(server_context)by @henderkes in #2438. - Clear
in_save_handlerstate that blocked the subsequent close handler by @henderkes in #2443. - Fix a data race in metrics by replacing the mutex with a read-write mutex by @alexandre-daubois in #2450 and removing redundant shutdown assignments by @henderkes in #2452.
- Report
headers_sent()asfalseunder CLI emulation by @henderkes in #2453.
⚡ Internal Improvements
- Drop the unreachable space-to-underscore replacement in header names (Go's net/http already rejects spaces) by @dunglas in #2441.
- Make UPX packing opt-in via the
COMPRESSenv var by @dunglas in #2429. - Dependency updates including Caddy 2.11.4 and Mercure 0.24.2 in #2454 and #2462.
📖 Documentation
- Add a WoltLab Suite example by @SoftCreatR in #2428.
- Update the incompatibilities section by @henderkes in #2420.
💖 New Contributors
- @SoftCreatR made their first contribution in #2428.
Need help adopting FrankenPHP, hardening a PHP application against header-spoofing and real-time security issues like these, or auditing your worker setup for races? Les-Tilleuls.coop — the team behind FrankenPHP — provides professional support, consulting, custom development, and training. Get in touch: contact@les-tilleuls.coop.
Full Changelog: https://github.com/php/frankenphp/compare/v1.12.3...v1.12.4
