CVE-2025-50706
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thinkphp | thinkphp | 5.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50706 is a vulnerability in ThinkPHP version 5.1 that allows a remote attacker to execute arbitrary code by exploiting improper handling of the 's' routing parameter. Specifically, the vulnerability arises because the framework does not properly sanitize directory traversal sequences ('..\') within this parameter, allowing attackers to traverse directories and include arbitrary PHP files. This leads to remote code execution on affected Windows systems. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary PHP code on your server by including malicious files through directory traversal. This can lead to full system compromise, unauthorized access, data theft, or the installation of backdoors and malware, especially on Windows environments running ThinkPHP 5.1. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the ThinkPHP 5.1 application for improper handling of the `s` GET parameter in URLs. Specifically, you can attempt to access URLs with directory traversal sequences like `..\` in the `s` parameter to see if arbitrary PHP files are included or executed. For example, try accessing `index.php?s=..\..\..\..\thinkphp5.1/xinyi/xinyi` on a Windows environment to check if the server includes unintended files. Monitoring web server logs for suspicious requests containing `..\` in the `s` parameter can also help detect exploitation attempts. No specific command-line tools are mentioned, but using curl or a browser to test such URLs is effective. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating ThinkPHP to a version where this vulnerability is fixed, as recommended on the official ThinkPHP website. If an update is not immediately possible, restrict access to the vulnerable application from untrusted networks, disable or restrict the use of the `s` parameter in routing, and implement web application firewall (WAF) rules to block requests containing directory traversal patterns like `..\` in the `s` parameter. Additionally, ensure the application is not running on Windows if possible, as the exploit is specific to Windows environments. [1, 2]