[hannob]

FWIW I reported it to PHPs bugtracker: https://bugs.php.net/bug.php?id=77843

I expect that it'll be fixed, not not handled as a security issue, as it doesn't fit within PHPs model of security vulns.

[jimktrains2]

> This looks like it requires specially crafted code, therefore not a security issue.

I'm not sure how I feel about such a response. Many exploits require odd, but valid code, and more often than not it exists out there.

Also, it feels weird for this to be tagged as a JSON issue?

[_ea1k]

Basically they don't consider the engineer exploiting the interpreter to be a security vulnerability. That seems a bit dubious, but I can see where they are coming from in treating the script author as a trusted party.