Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

PKSA-9cfd-hnsv-zq3v CVE-2018-17057

Affected version: <6.2.22

Reported by:
FriendsOfPHP/security-advisories