The MixPHP Framework versions 2.x to 2.2.17 contain an unsafe deserialization vulnerability in the sync-invoke client component. The code at Connection.php line 76 uses PHP's unserialize() function on server response data without sufficient validation, enabling a malicious server to execute arbitrary code on the client by sending specially crafted serialized objects. This vulnerability can lead to client-side remote code execution if the client connects to a malicious or compromised server. There is no CVSS score or official remediation information available at this time.

If exploited, this vulnerability allows a malicious server to execute arbitrary code on the client system running the vulnerable MixPHP Framework sync-invoke client. This can lead to full compromise of the client environment. However, exploitation requires the client to connect to a malicious server, limiting the attack vector to scenarios involving untrusted or compromised servers. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid connecting the vulnerable MixPHP client to untrusted or potentially malicious servers to mitigate risk. Monitor vendor channels for updates regarding patches or official mitigations.