FrankenPhp 1.12.4
FrankenPHP 1.12.4 has been released — a hardening and stability update that pulls in upstream security fixes from Caddy 2.11.4 and Mercure 0.24.2, closes underscore-header spoofing, and fixes several worker-mode crashes.
Security & Hardening
The headline fix in FrankenPHP 1.12.4 is defense-in-depth against underscore-header spoofing. Because CGI maps dashes to underscores (Foo-Bar becomes HTTP_FOO_BAR), a client-supplied Foo_Bar header was previously indistinguishable from a legitimate Foo-Bar in $_SERVER. This could let an attacker spoof trusted headers like X-Forwarded-For or Authorization. The bundled Caddy 2.11.4 now ignores header fields containing underscores at the server layer, and FrankenPHP documents the risk for code using the Go API directly.
Mercure 0.24.2 is also bundled, bringing SSE field injection rejection (id/type), reserved topic forgery blocking, Last-Event-ID metadata disclosure fixes, and DoS amplification caps.
Bug Fixes
Several crashes in worker mode have been resolved: ext-parallel crashes are fixed by properly propagating the parent thread index, the in_save_handler state that blocked subsequent close handlers is cleared, and a data race in metrics has been resolved by switching from a mutex to a read-write mutex. The headers_sent() function now correctly reports false under CLI emulation.
Upgrade Recommended
Every FrankenPHP user should upgrade to 1.12.4. The underscore-header spoofing fix alone is worth the update, and the worker-mode stability improvements make it a no-brainer for production deployments. The upgrade is a drop-in replacement — update your binary and restart.