CVE-2025-50707
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thinkphp | thinkphp | 3.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50707 is a file inclusion vulnerability in ThinkPHP3 version 3.2.5 and earlier. It arises from improper validation of the 'a' (action) parameter in URL routing, allowing an attacker to manipulate this parameter to perform directory traversal and include arbitrary '.html' files. These files can contain PHP code, which the framework will execute due to the way it dynamically handles controller actions and template rendering. This leads to remote code execution (RCE) by exploiting the fallback to the __call() magic method and the template rendering process in ThinkPHP3. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary PHP code on the affected server by including malicious '.html' files containing PHP code. This can lead to full remote code execution, compromising the server, stealing data, modifying or deleting files, or using the server as a foothold for further attacks. Since ThinkPHP3 is no longer maintained, affected systems remain at risk if not updated or mitigated. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the ThinkPHP3 application for improper handling of the 'a' parameter in the URL. You can attempt to access URLs with crafted parameters to check for arbitrary file inclusion. For example, try accessing: index.php?m=Home&c=index&a=../../../../../filename.html and observe if the server includes or executes the specified file. Monitoring web server logs for suspicious requests with directory traversal patterns in the 'a' parameter can also help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict or sanitize the 'a' parameter to prevent directory traversal and arbitrary file inclusion. 2) Remove or restrict the ability to include arbitrary template files via user input. 3) If possible, upgrade to a newer, maintained version of ThinkPHP that does not have this vulnerability. 4) Apply any official patches or fixes provided by the ThinkPHP project. 5) As a temporary measure, restrict access to the vulnerable application or disable the affected functionality until a fix is applied. [1, 2]