Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from t…

A critical unsafe deserialization vulnerability exists in MixPHP Framework versions 2.x through 2.2.17. The vulnerability is located in the sync-invoke client component at Connection.php line 76, where unserialize() is called on data received from server responses. This flaw enables remote code execution (RCE) on the client side when connecting to a malicious server. The vulnerability affects all versions in the 2.x branch up to and including version 2.2.17. Exploitation requires the client to connect to an attacker-controlled server that sends malicious serialized data.