FWIW I reported it to PHPs bugtracker: https://bugs.php.net/bug.php?id=77843

I expect that it'll be fixed, not not handled as a security issue, as it doesn't fit within PHPs model of security vulns.

> This looks like it requires specially crafted code, therefore not a security issue.

I'm not sure how I feel about such a response. Many exploits require odd, but valid code, and more often than not it exists out there.

Also, it feels weird for this to be tagged as a JSON issue?

Basically they don't consider the engineer exploiting the interpreter to be a security vulnerability. That seems a bit dubious, but I can see where they are coming from in treating the script author as a trusted party.

That’s been my experience reporting any kind of bug with the PHP core team. It really is a pain in the neck.