Every extension you ship is attack surface.

A generic php:* image bundles a fixed set of extensions — many with a long CVE history — whether your application uses them or not. A vulnerability you don't ship can't be exploited. customcontainer builds the image from your actual composer.lock, so the extensions you never call simply aren't there. Try it: switch off what your app doesn't need and watch the exposure drop.

261
documented CVEs shipping in your image
You dropped 0 of 261 known CVEs (since 2015) by not shipping extensions you don't use.

Tap an extension to add or remove it from your image.

A curated look at PHP extensions with a notable security history since 2015 — and how a purpose-built image handles each one.

Extension Risk What went wrong In a customcontainer image
imagick critical RCE via ImageMagick delegates ("ImageTragick"), plus hundreds of image-parser CVEs in the ImageMagick library it binds.
CVE-2016-3714
Opt-in only — never part of a minimal image.
openssl high Tracks upstream OpenSSL CVEs — the most-patched crypto stack in the ecosystem.
CVE-2022-3602, CVE-2016-2107
Kept current; the affected layer is rebuilt within hours of an upstream fix.
curl high Underlying libcurl overflows (SOCKS5 heap overflow, cookie/redirect bugs).
CVE-2023-38545
Shipped only when a dependency actually uses it — then patched per-layer.
gd high Heap overflows and DoS loops in the libgd image decoders (GIF, XBM, GD2).
CVE-2019-6977, CVE-2019-11038, CVE-2018-5711
Opt-in — only if your app renders or resizes images.
intl medium Locale, number-formatter and collator parsing bugs in the bundled ICU library.
CVE-2016-10397
Opt-in only.
xml high libexpat heap overflow plus XXE across the whole dom / simplexml / xmlreader stack.
CVE-2019-15903
The XML stack is added only when your code needs it.
sqlite3 medium Out-of-bounds reads and integer overflows in the underlying SQLite engine.
CVE-2022-35737, CVE-2019-8457
Opt-in — dropped when you use a real database driver instead.
exif high Repeated heap over-reads while parsing image metadata from untrusted uploads.
CVE-2019-11039, CVE-2019-11040, CVE-2018-14883
Opt-in only.
mbstring medium Use-after-free and out-of-bounds bugs in the bundled Oniguruma regex engine.
CVE-2019-13224
Included only when your dependencies require it.
ssh2 high Multiple libssh2 heap overflows in the SSH transport, several leading to RCE.
CVE-2019-3855, CVE-2019-3856
Opt-in only.
fileinfo medium Heap overflow and DoS in the libmagic file-type detector.
CVE-2019-18218
Opt-in; not part of minimal images.
zip medium Use-after-free in libzip and classic zip-slip path traversal.
CVE-2020-36242
Opt-in only.
phar critical The phar:// wrapper triggers unserialize() of archive metadata → object-injection RCE.
CVE-2015-5590
Off by default; only added when you explicitly opt in.
soap high Type confusion and XXE in the SOAP/XML client and server.
CVE-2015-8835
Opt-in only.
xmlrpc Moved to PECL in PHP 8.0 high Unsafe deserialization. Considered risky enough to be moved out of core. Not shipped.
imap Removed from PHP core in 8.4 critical RCE via imap_open() passing an attacker-controlled -oProxyCommand to the mail client.
CVE-2018-19518, CVE-2018-19935
Not shipped — gone from PHP itself.
wddx Removed from PHP in 7.4 high Use-after-free and invalid free in wddx_deserialize() on untrusted input.
CVE-2017-11143, CVE-2016-7413
Not shipped — removed from PHP.
gmp medium Stack overflow reachable through crafted numeric input.
CVE-2015-8874
Opt-in only.

Shrink your attack surface

Build an image with only what you use.

Paste your composer.lock on the start page and pull a purpose-built PHP image right away — no account, no build pipeline, no credit card.

CVE counts are indicative figures covering each extension and the C library it links against (for example imagick ↔ ImageMagick, gd ↔ libgd, mbstring ↔ Oniguruma) since 2015. They are meant to visualise relative attack surface, not to serve as an exact CVE census. Always consult the NVD for authoritative, up-to-date advisories.