GitHub repository m0x41nos/TimeAfterFree demonstrates a PHP 8 sandbox escape using a use-after-free bug to bypass `disable_functions` and execute arbitrary commands. The proof-of-concept (PoC) leverages the `DateInterval` object to leak heap pointers, enabling memory corruption on Unix-like systems. Tested across PHP 8.2.x to 8.5.x, the exploit works deterministically in CLI, PHP-FPM, and Apache module environments, highlighting systemic risks in PHP’s memory-unsafe core.

The vulnerability stems from PHP’s reliance on sandboxing mechanisms like `disable_functions` for security—a strategy the author calls "wishful thinking." By exploiting a heap pointer leak via `DateInterval`, attackers can bypass restrictions and gain write primitives. While PHP memory corruption exploits are partially documented, this PoC reveals previously undocumented techniques, amplifying concerns about widespread, unpatched vulnerabilities.

PHP’s memory-unsafe design has long been a target for exploits, but this case underscores the urgency of modernizing its architecture. The PoC’s reproducibility across major PHP distributions and server APIs suggests attackers could easily weaponize it. Despite the author’s disclaimer urging responsible use, the exploit’s technical depth signals a critical flaw in PHP’s sandboxing model that demands immediate attention from developers and security teams.

Mitigation efforts currently focus on avoiding `disable_functions` entirely, but long-term solutions require memory-safe PHP development practices. This vulnerability serves as a stark reminder that sandboxing alone cannot secure memory-unsafe languages—a lesson with far-reaching implications for web application security.