FrankenPHP v1.11.2 Released With 30% Faster CGO, 40% Faster GC, and Security Patches

On February 13th, 2026, FrankenPHP announced the release of version 1.11.2, marking a significant update that is highly recommended for all users. This release not only addresses critical security vulnerabilities but also introduces substantial performance enhancements that are essential for PHP applications.

Security Enhancements

The primary focus of the FrankenPHP v1.11.2 update is to enhance security. The release includes fixes for three notable vulnerabilities:

• GHSA-g966-83w7-6w38: This fix addresses a Unicode casing path confusion issue in CGI path splitting that could potentially allow for arbitrary file execution.
• GHSA-r3xh-3r3w-47gp: This patch resolves a session leak that could occur between requests handled by workers, which is critical for maintaining user session integrity.
• GHSA-x9p2-77v6-6vhf: This fix deals with delayed propagation of security updates in upstream base Docker images, ensuring that users are protected from known vulnerabilities.

Given these vulnerabilities, it is imperative for users operating in production environments, particularly those utilizing worker mode or allowing user influence over request paths or uploads, to prioritize this upgrade.

Performance Improvements

Beyond security, the v1.11.2 release brings significant performance improvements through an upgrade to the compiler toolchain to Go 1.26. Users can expect:

• 10-40% Faster Garbage Collector: The garbage collection process has been optimized, resulting in faster memory management and reduced latency.
• ~30% Faster CGO Calls: The CGO (C Go) calls have been improved, which enhances the interaction between PHP and C libraries, leading to quicker execution times.

These enhancements are expected to smooth out tail response times under load, making PHP applications more responsive and efficient.

Notable Fixes and Stability Improvements

In addition to security and performance upgrades, FrankenPHP v1.11.2 includes numerous bug fixes and stability improvements. Some of the key fixes are as follows:

• Ensured that $_SERVER['PHP_SELF'] always starts with a slash, which is crucial for correct URL handling.
• Enabled PHP to handle HTTP Basic Auth headers natively, simplifying authentication processes.
• Fixed edge cases related to symbolic links, which can cause unexpected behavior in certain scenarios.
• Addressed race conditions that could occur during shutdown and “drain” processes, enhancing overall reliability.
• Resolved multiple segmentation faults that could arise in edge cases, further stabilizing the platform.
• Improved worker mode functionalities, including correct initialization of $_REQUEST and resetting of INI settings and $_SESSION when changes occur during a request.

New Feature: Alpine APK Repository

Another exciting addition in this release is the introduction of a dedicated APK repository for Alpine Linux. This feature aims to simplify the management of Alpine-based installations and image builds, making it easier for developers to leverage the benefits of FrankenPHP in their environments.

Upgrade Recommendations

Given the critical nature of the security vulnerabilities addressed in this release, it is strongly recommended that all users upgrade to FrankenPHP v1.11.2 as soon as possible. The performance enhancements alone make it a worthwhile update, but the security patches are essential for protecting applications from potential threats.

Release Notes and Further Information

For those interested in the complete details of the release, the full release notes can be found on the official GitHub page. Additionally, users can view the changelog to compare previous versions and understand the scope of changes made:

• Full Release Notes
• Changelog Compare

Frequently Asked Questions

Call To Action

Note: Upgrading to the latest version of FrankenPHP is essential for maintaining the security and performance of your PHP applications. Stay updated to protect your projects effectively.