A security update has been released for all supported HHVM versions. Please update to one of the following versions to get the update:

  • 4.18.1
  • 4.17.2
  • 4.16.3
  • 4.15.2
  • 4.14.2
  • 4.13.2
  • 4.12.2
  • 4.8.3
  • 3.30.9

This security update addresses a HTTP/2 Deny-of-Service vulnerability in the Proxygen library bundled with HHVM.

More information can be found in the respective CVEs:

Note that these vulnerabilities are not specific to HHVM or Proxygen, so keep an eye out for updates to other HTTP/2 server and client packages.