Safeguard
Vulnerabilities

PHP 7.4.33 Vulnerabilities: The Real Risk of Running EOL PHP

PHP 7.4.33 was the final release in the 7.4 line before it reached end of life — running it today means every new vulnerability discovered afterward goes unpatched by design.

Safeguard Research Team
Research
4 min read

PHP 7.4.33 shipped in November 2022 as the final security release for the PHP 7.4 branch before it reached official end of life. The question worth asking isn't really about PHP 7.4.33 vulnerabilities as a fixed list — it's about what happens to a codebase still running this version now, well past the point where new vulnerabilities discovered in PHP's core stop getting patched for that branch at all.

Why Does the Specific Version Number Matter Here?

7.4.33 matters less as a target for a specific known CVE and more as a marker: it's the last build PHP's maintainers officially supported. Any memory-safety bug, parser flaw, or standard-library vulnerability discovered in PHP after that release gets fixed in actively maintained branches (PHP 8.1, 8.2, 8.3, and beyond) but never backported to 7.4, because that branch is no longer maintained. If you're running 7.4.33 today, you're running software that by definition cannot receive fixes for anything discovered since November 2022 — the version number itself is the risk indicator, independent of any specific CVE list.

What Does "End of Life" Actually Mean for Security Posture?

End of life doesn't mean the software stops working — it means the vendor (in this case the PHP project) has stopped issuing security patches for that branch. Any vulnerability class subsequently discovered — whether in the core interpreter, bundled extensions, or the standard library — simply won't get an official fix backported to 7.4.x. Organizations running EOL PHP are relying entirely on external mitigations (WAF rules, network segmentation, extension-level patches from third parties) rather than an upstream fix.

This matters more for PHP specifically than for some other ecosystems because PHP has historically been a frequent target for both automated exploitation attempts and manual research, given how much of the web still runs on it — a large fraction of it on outdated versions.

How Do You Actually Assess Your Exposure?

Start by confirming your actual running version across every environment — it's common to find production on a supported version while a staging server, an internal tool, or a legacy microservice quietly still runs 7.4.x. Dependency and container scanning tools that check the PHP runtime version, not just application-level dependencies, will surface this automatically across your infrastructure.

From there, prioritize by exposure: an internet-facing application running EOL PHP is a materially different risk than an internal tool with no external network access, even though both are technically running unsupported software.

What's the Actual Path Off PHP 7.4?

Upgrading across major PHP versions (7.4 to 8.x) can involve real breaking changes — deprecated function removals, type coercion behavior changes, and extension compatibility issues are common enough that a direct in-place upgrade without testing is risky. A practical path is running the application test suite against PHP 8.1 or 8.2 in a staging environment first, using tools like PHP's own deprecation warnings and static analyzers (PHPStan, Psalm) to surface incompatibilities before they hit production, and budgeting real engineering time for the migration rather than treating it as a drop-in version bump.

Delaying the upgrade doesn't reduce the eventual work — it just extends the window where the application runs on software that can't receive security patches. Continuous scanning that flags EOL runtime versions as a standing finding (not just a one-time audit note) helps keep this visible to engineering leadership rather than becoming a known-but-ignored risk. See our SCA product page for how runtime and dependency version tracking fits into that.

FAQ

When did PHP 7.4 officially reach end of life?

PHP 7.4 reached end of life on November 28, 2022, with 7.4.33 as its final security release.

Is PHP 7.4.33 itself insecure the moment it was released?

No — at release, it was the fully patched, current version for that branch. The risk described here is about what happens after end of life, when subsequently discovered vulnerabilities stop being patched for that branch.

Can I get extended security support for PHP 7.4 from a third party?

Some vendors offer extended support contracts for EOL PHP versions that backport critical security fixes for a fee. This can buy time but isn't a substitute for eventually upgrading to an actively maintained version.

What's the current actively maintained PHP branch?

Check php.net's supported versions page for the current list, since active branches roll forward on a regular schedule. As of this writing, PHP 8.1 and later branches are the actively maintained lines.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.