PHP agent release notes
Release date: September 9, 2025
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3, 8.4
New and improved:
The
contrast-php-util
script now verifies that the agent can be successfully loaded during installation and reports an error if it cannot, helping to prevent common installation issues related to system compatibility. (PHP-1030)Added support for agent PHP version 8.4. This ensures that PHP 8.4 is now included as an option in all relevant CI workflows. (PHP-1124)
Introduced a performance optimization when using Protect to decrease memory usage. (PHP-1142)
Added instrumentation and test coverage for the new PDO SQLite subclass introduced in PHP 8.4. (PHP-1277)
Release date: August 22, 2025
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added support for Laravel 12. (PHP-1222)
Validate server environment when it is set. (PHP-1259)
Release date: August 8, 2025
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Package for the latest version of Ubuntu.
Bug fixes:
Fixed a seg fault that occurred on the second request if the XMLReader constructor was used. (PHP-1262)
Fixed the error rewriting complex properties. (PHP-1263)
Release date: June 18, 2025
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Report memory statistics to Contrast. (PHP-1234, PHP-1249)
Release date: May 30, 2025
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Support Masked Sensitive Data in attack values setting. (PHP-1207)
Performance improvements for Protect only installs. (PHP-1178)
Bug fixes:
Fixed format for effective configuration date. (PHP-1214)
Fixed issue with agent failures while running a Laravel Livewire application. (PHP-1185)
Release date: May 1, 2025
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
Bug fixes:
Remove an error regarding effective configuration log path generation when not logging to a file. (PHP-1162)
Fix a bug where the Agent was improperly handling a constant string concatenation. (PHP-1208)
Fix a bug where an unwritable log path would cause an exception in a library initialization. (PHP-1211)
Change the message's severity for effective configuration log generation, as it does not affect Agent operation. (PHP-1213)
Release date: April 10, 2025
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Fixed the rewriting of functions with Closure parameters. ((PHP-1172)
Release date: February 27, 2025
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
Bug fixes:
Allow Laravel apps making use of Eloquent to perform properly by deadzoning those calls, which the agent does not properly handle. (PHP-1163)
Release date: January 16, 2025
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Add more fine-grained timing to log entries.
Bug fixes:
Fix format of security log timestamps. (PHP-1091)
Fix format of effective configuration data sent to TeamServer. (PHP-1116)
Archive
Release date: December 13, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Add new version of Ubuntu (Noble Numbat) as a supported release. (PHP-1092)
Assess performance improvements. (PHP-1039, PHP-1089, PHP-1090)
Add compatibility support for Drupal 11. (PHP-1023)
Bug fixes:
Fix issue with the format of the reported effective config. (PHP-1094)
Release date: November 25, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Generate and upload effective config. (PHP-997)
Add support for specifying the log rollover size for both the log file and the security log file. (PHP-1036)
Implement API v1.1 server settings endpoint support with polling on request. (PHP-1049)
Detect containerization and upload to TeamServer. (PHP-1068)
Bug fixes:
Fix the blocking mode as specified to TeamServer for Bot blocking and IP Blacklist. (PHP-1073)
Release date: October 9, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added support for reporting the cloud provider ID. (PHP-1027)
Implemented a PHP rule for the
Content-Security-Policy
header or meta tag. (PHP-1033)Validated support for Drupal version 10. (PHP-849)
Bug fixes:
Fixed a segmentation fault that could potentially occur during agent shutdown when run with PHP version 8.1. (PHP-1058)
Release date: September 17, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added support for security log settings. (PHP-995)
The PHP agent now supports the use of
CONTRAST__API__TOKEN
instead ofCONTRAST__API__URL
,CONTRAST__API__API_KEY
,CONTRAST__API__SERVICE_KEY
, andCONTRAST__API__USER_NAME
for communication with Contrast. (PHP-1016)Note
Contrast TeamServer is not yet adding the token to the downloadable agent configuration file.
Added the X-Contrast-Reporting-Instance to Contrast TeamServer communication. (PHP-981)
Release date: August 21, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
Bug fixes:
Fixed an issue regarding K8 failure to release build 1.32.0. (PHP-1009)
The agent now honors the flag to disable the
xcontenttype-header-missing
rule when sent from Contrast. (PHP-962)Addressed an issue where occasionally, the client would send an incomplete application message, resulting in a Contrast error. (PHP-1004)
Addressed an issue where Laravel would fail to run when loaded with the agent and PHP version 8.2. (PHP-1019)
Release date: July 19, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added framework names for discovered routes. (PHP-976)
Added compatibility support for Laravel version 11. (PHP-982)
Added the ability for Protect to detect SQL injection vulnerability CVE-2024-27956. (PHP-915)
Bug fixes:
Cleaned up source code comments. (PHP-1008)
Fixed the title on reported vulnerabilities as seen in Contrast. (PHP-919 and PHP-912)
Release date: June 27, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added sensitive data masking for reported request cookies. (PHP-913)
Added an Unsafe File Upload protect rule. (PHP-818)
Added CEF logging for Protect. (PHP-822)
Bug fixes:
Fixed an issue that caused a SQL Injection vulnerability cve-2024-27956 to be missed for Assess. (PHP-983)
Release date: June 11, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Initial support for WordPress version 6 content management system.
Initial support for Protect when running the PHP agent with the following rules in place:
Bot blocking
Command Injection
IP Blocking
Path Traversal
Reflected XSS
SQL Injection
Bug fixes:
Fixed a potential memory leak. (PHP-954)
Fixed an issue where the default logging location might not be in sync across processes. (PHP-937)
Release date: May 10, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
The agent's log file will now be written as follows:
If the directory is specified in the YAML file or the environment variable then the log will be written to that location.
If the location is not specified:
The agent will attempt to log to
$HOME/.contrast/contrast_agent.log
If that directory is not accessible, the fallback directory is
/tmp/.contrast/
Lastly, if
/tmp
does not exist or there are insufficient privileges then the log stream is written tostdout
If using a
contrast_security.yaml
file for configuration settings, the file location should be specified using theCONTRAST_CONFIG_PATH
environment variable. If not explicitly specified the agent will look in the following locations:/etc/contrast/php
/etc/contrast/
/etc/
Release date: May 6, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
Bug fixes:
Addresses issue raised in Support Bulletin: Potential Sensitive Information Leak - PHP Agent 2nd May 2024.
If the
contrast_security.yaml
configuration file is in the application directory, the agent will disable itself when run in a production environment.If the agent log file is configured to be created in the application directory, the agent will discontinue logging when run in a production environment.
Release date: April 25, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added initial sensitive data masking to trace reports.
Bug fixes:
Removed unnecessary warning from the
contrast-php-util
enable command. (PHP-904)
Release date: April 5, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
Bug fixes:
Fixed the issue around restoring of internal settings state that would result in an agent error.
Updated logging around saving and restoring internal settings state.
Release date: March 19, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Internal updates to make the RPM package available for RedHat 9.
Added some debug logging around internal features.
Release date: March 5, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
The initial release of Protect for PHP includes:
Running the agent in Protect mode using a configuration setting or the setting specified in the Contrast web interface.
Available Protect Rules:
Cross-site scripting (XSS)
Command Injection
Path Traversal
SQL Injection
Additional rules will be added in later releases. Other features such as exclusion support, PII masking, IP controls and bot-blocking will be provided in later releases.
Added Red Hat 9 for x64 only.
Release date: February 20, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Initial support for PHP 8.3.
Release date: January 22, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2
New and improved:
Added support for Symfony 6.4 and 7.0
Release date: December 4, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2
New and improved:
Added support for doing route discovery on Symfony cached routes.
Release date: November 7, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2
New and improved:
Added Bookworm as a Debian distribution package.
Release date: October 25, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2
New and improved:
Added initial support for PHP 8.2.
Release date: October 23, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added logging of environment variables to the agent log.
Added additional logging about unwritable log directories.
Release date: August 15, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
Bug fixes:
Addresses two issues that caused a segmentation fault in the PHP extension when parsing certain framework files. (SUP-4910)
Release date: August 14, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
Bug fixes:
Addressed the issue of incorrectly named proxy configuration items. (PHP-828)
Release date: August 10, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added ability to specify a proxy to use for Contrast communication.
Release date: July 13, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added logging around setting the temporary path for the network communication layer.
Release date: June 29, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
Bug fixes:
Fixed an issue where setting the request logging feature (
api.log_requests
) to true while usingSTDOUT
as the log output path would result in no logging of network requests.
Release date: May 31, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
Bug fixes:
Fixed issue with seg fault when running with PHP 8.0 and Laravel 9.
Fixed issue with passthrough module not loading on versions 8.0 and 8.1.
Release date: May 17, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Updated internal packages to address a security flaw.
Removed an unused configuration setting.
Bug fixes:
Fixed an issue where certain PHP files would cause a segmentation fault in the agent. Improved overall agent robustness.
Release date: April 28, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Updated internal library versions.
Release date: April 17, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added Jammy as a Debian distribution package.
Release date: March 30, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Detection of Symfony framework and version.
Added instrumentation for Doctrine when using Symfony.
Bug fixes:
Updated the copyright date for the license file.
Ensured that group, metadata, and session_metadata values from the configuration file are properly parsed for automatic application onboarding.
Release date: February 17, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added support for Symfony framework.
Release date: January 26, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added SCA analysis for custom Drupal modules (not installed via Composer).
Bug fixes:
Fixed a potential crash in the agent when encountering PHP code that consists of a coalesce call and a closure.
Updated the data provided to Contrast to ensure that it contains a valid stack trace.
Eliminated some potential false positive reflected-xss reports from request headers.
Release date: November 14, 2022
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Identify Drupal modules not installed via Composer.
Added support for PHP 8.0.
Bug fixes:
Use the web server root directory as the working directory when running with PHP-FPM on Red Hat Enterprise. (PHP-679)
Release date: September 20, 2022
Language versions currently supported: PHP 7.4., 8.1
New and improved:
Initial support for PHP 8.1.
Release date: August 30, 2022
Language versions currently supported: PHP 7.4
New and improved:
Added initial Assess support for Drupal 8 and 9.
Added SCA support for Drupal 8 and 9 when installing modules using Composer packages.
Release date: June 28, 2022
Language versions currently supported: PHP 7.4
New and improved:
Added support for LDAP injection rules.
Added support for NoSQL injection rules for MongoDB and Redis.
Release date: June 13, 2022
Language versions currently supported: PHP 7.4
Bug fixes:
Fixes minor issue with route discovery logs.
Release date: June 06, 2022
Language versions currently supported: PHP 7.4
New and improved:
Initial triggers for
redos
rule.Provides packages for arm64/aarch64.
Bug fixes:
Includes fixes previously released in 1.3.1 and 1.3.2.
Release date: May 26, 2022
Language versions currently supported: PHP 7.4
Release date: May 25, 2022
Language versions currently supported: PHP 7.4
Bug fixes:
Better error handling for request shutdown hook. (PHP-576)
Release date: May 24, 2022
Language versions currently supported: PHP 7.4
New and improved:
Initial support for
nosql-injection
rule: initial support is for the Datastax Cassandra CQL driver for PHP.Support for capturing full stack traces and relevant common configuration options.
Bug fixes:
Fixed issue when using relative agent log path. (PHP-540)
Fixed issue with route discovery when running under
php-fpm
. (PHP-528)
Release date: May 11, 2022
Language versions currently supported: PHP 7.4
New and improved:
Agent is now disabled by default with PHP command-line interface (CLI) in order to prevent accidental analysis of PHP scripts and commands.
Added diagnostic script
contrast-php-util
to agent package along with experimental commands for enabling/disabling agent to ease onboarding.Added support for
reflection-injection
rule.
Bug fixes:
Contains fixes for configuration of Assess and API certificates that were included in previous individual bugfix releases.
Release date: April 26, 2022
Language versions currently supported: PHP 7.4
New and improved:
Add certificate configuration option for Contrast API.
Release date: April 25, 2022
Language versions currently supported: PHP 7.4
Bug fixes:
Agent now defers to Contrast web interface setting for enabling Assess if omitted from configuration. Previously the agent required Assess to be explicitly enabled locally as well.
Release date: April 21, 2022
Language versions currently supported: PHP 7.4
New and improved:
Improvements to trace event rendering in the Contrast web interface.
Added coverage to
unsafe-code-execution
forextract
function.
Bug fixes:
Fixed issue with configuration file discovery paths. (PHP-496)
Fixed issue with
json_decode
propagation. (PHP-482)
Release date: April 4, 2022
Language versions currently supported: PHP 7.4
New and improved:
Assess and SCA feature support for PHP applications.
Support for the Laravel framework.