Every extension you ship is attack surface.
A generic php:* image bundles a fixed set of extensions — many with a long CVE history —
whether your application uses them or not. A vulnerability you don't ship can't be exploited.
customcontainer builds the image from your actual composer.lock, so the extensions you
never call simply aren't there. Try it: switch off what your app doesn't need and watch the exposure drop.
Tap an extension to add or remove it from your image.
You only ship what you use.
customcontainer detects the extensions your composer.lock actually requires and
builds an image with exactly those — plus the C libraries they link against, nothing else.
Every extension you leave out is one whose next CVE can never touch you.
Fixes reach you in hours.
Because every extension sits in its own layer, a security update to one library rebuilds just that layer and ships as a new semver version automatically — webhook included. No waiting for an upstream base image, no rebuilding your whole pipeline.
A curated look at PHP extensions with a notable security history since 2015 — and how a purpose-built image handles each one.
| Extension | Risk | What went wrong | In a customcontainer image |
|---|---|---|---|
| imagick | critical |
RCE via ImageMagick delegates ("ImageTragick"), plus hundreds of image-parser CVEs in the ImageMagick library it binds.
CVE-2016-3714
|
Opt-in only — never part of a minimal image. |
| openssl | high |
Tracks upstream OpenSSL CVEs — the most-patched crypto stack in the ecosystem.
CVE-2022-3602, CVE-2016-2107
|
Kept current; the affected layer is rebuilt within hours of an upstream fix. |
| curl | high |
Underlying libcurl overflows (SOCKS5 heap overflow, cookie/redirect bugs).
CVE-2023-38545
|
Shipped only when a dependency actually uses it — then patched per-layer. |
| gd | high |
Heap overflows and DoS loops in the libgd image decoders (GIF, XBM, GD2).
CVE-2019-6977, CVE-2019-11038, CVE-2018-5711
|
Opt-in — only if your app renders or resizes images. |
| intl | medium |
Locale, number-formatter and collator parsing bugs in the bundled ICU library.
CVE-2016-10397
|
Opt-in only. |
| xml | high |
libexpat heap overflow plus XXE across the whole dom / simplexml / xmlreader stack.
CVE-2019-15903
|
The XML stack is added only when your code needs it. |
| sqlite3 | medium |
Out-of-bounds reads and integer overflows in the underlying SQLite engine.
CVE-2022-35737, CVE-2019-8457
|
Opt-in — dropped when you use a real database driver instead. |
| exif | high |
Repeated heap over-reads while parsing image metadata from untrusted uploads.
CVE-2019-11039, CVE-2019-11040, CVE-2018-14883
|
Opt-in only. |
| mbstring | medium |
Use-after-free and out-of-bounds bugs in the bundled Oniguruma regex engine.
CVE-2019-13224
|
Included only when your dependencies require it. |
| ssh2 | high |
Multiple libssh2 heap overflows in the SSH transport, several leading to RCE.
CVE-2019-3855, CVE-2019-3856
|
Opt-in only. |
| fileinfo | medium |
Heap overflow and DoS in the libmagic file-type detector.
CVE-2019-18218
|
Opt-in; not part of minimal images. |
| zip | medium |
Use-after-free in libzip and classic zip-slip path traversal.
CVE-2020-36242
|
Opt-in only. |
| phar | critical |
The phar:// wrapper triggers unserialize() of archive metadata → object-injection RCE.
CVE-2015-5590
|
Off by default; only added when you explicitly opt in. |
| soap | high |
Type confusion and XXE in the SOAP/XML client and server.
CVE-2015-8835
|
Opt-in only. |
| xmlrpc Moved to PECL in PHP 8.0 | high | Unsafe deserialization. Considered risky enough to be moved out of core. | Not shipped. |
| imap Removed from PHP core in 8.4 | critical |
RCE via imap_open() passing an attacker-controlled -oProxyCommand to the mail client.
CVE-2018-19518, CVE-2018-19935
|
Not shipped — gone from PHP itself. |
| wddx Removed from PHP in 7.4 | high |
Use-after-free and invalid free in wddx_deserialize() on untrusted input.
CVE-2017-11143, CVE-2016-7413
|
Not shipped — removed from PHP. |
| gmp | medium |
Stack overflow reachable through crafted numeric input.
CVE-2015-8874
|
Opt-in only. |
Shrink your attack surface
Build an image with only what you use.
Paste your composer.lock on the start page and pull a purpose-built PHP image right away —
no account, no build pipeline, no credit card.
CVE counts are indicative figures covering each extension and the C library it links against (for example imagick ↔ ImageMagick, gd ↔ libgd, mbstring ↔ Oniguruma) since 2015. They are meant to visualise relative attack surface, not to serve as an exact CVE census. Always consult the NVD for authoritative, up-to-date advisories.