What is Phar Deserialization

The security researcher Sam Thomas discovered a new exploitation technique that can lead to critical PHP object injection vulnerabilities without using the PHP function unserialize(), which enables attackers to escalate file-related vulnerabilities to remote code execution. The technique leverages the Phar (PHP Archive) wrapper, which stores meta data in serialized format, allowing an attacker to inject malicious objects into the application's scope by manipulating Phar files, potentially leading to further vulnerabilities such as code injection and remote code execution.