Facebook has patched two high-severity vulnerabilities in its server application that could have allowed remote attackers to unauthorisedly obtain sensitive information or cause a denial of service just by uploading a maliciously constructed JPEG image file.
The vulnerabilities reside in HHVM (HipHop Virtual Machine)—a high-performance, open source virtual machine developed by Facebook for executing programs written in PHP and Hack programming languages.
HHVM uses a just-in-time (JIT) compilation approach to achieve superior performance of your Hack and PHP code while maintaining the development flexibility that the PHP language provides.
Since the affected HHVM server application is open-source and free, both issues may also impact other websites that use HHVM, including Wikipedia, Box and especially those which allow their users to upload images on the server.
images from Hacker News