https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
(CVE-2024-1874) reports:

    Due to the improper handling of command line arguments on Windows,
    maliciously crafted arguments can inject arbitrary commands even if
    the bypass_shell option is enabled.

    Details
    --------
    proc_open executes external commands passed via its arguments. The documentation
    of this function states the following:

        As of PHP 7.4.0, the command may be passed as an array of command parameters.
        In this case, the process will be opened directly (without going through a

    shell) and PHP will take care of any necessary argument escaping. bypass_shell (windows only): bypass cmd.exe shell when set to true


    However, when executing .bat or .cmd files, CreateProcess implicitly spawns
    cmd.exe, resulting in command line arguments being parsed in cmd.exe despite
    the documentation explicitly stating it doesn't spawn the shell.

    While proc_open tries to escape the arguments, command prompts will not
    recognize \ as the escape character. So, the following command line argument
    will spawn calc.exe:

        test.bat "\"&calc.exe"