CVE-2018-25270
Remote Code Execution in ThinkPHP 5.0.23 via Routing Parameter
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thinkphp | thinkphp | From 5.0.0 (inc) to 5.0.23 (exc) |
| thinkphp | thinkphp | 5.1.31 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ThinkPHP version 5.0.23 and allows remote attackers to execute arbitrary PHP code without authentication. It occurs because attackers can manipulate the routing parameter to invoke functions, enabling them to run system commands with the same privileges as the application by sending crafted requests to the index.php endpoint.
How can this vulnerability impact me? :
The impact of this vulnerability is severe as it allows unauthenticated remote attackers to execute arbitrary code on the affected system. This can lead to full system compromise, data theft, data loss, service disruption, or the attacker gaining control over the application and potentially the underlying server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2018-25270 is a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code with application privileges. This can lead to unauthorized access, data breaches, and manipulation of sensitive information.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Organizations using vulnerable versions of ThinkPHP may face increased risk of non-compliance due to the possibility of data exposure or system compromise resulting from this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests to the vulnerable ThinkPHP application's index.php endpoint, specifically targeting the invokefunction mechanism.
A typical detection command involves using curl or similar HTTP clients to send a request that attempts to execute a harmless command such as phpinfo() to verify if remote code execution is possible.
- curl "http://server/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php -r 'phpinfo();'"
If the response contains PHP information output, it confirms the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying proper input validation and authorization checks on the routing parameters to prevent unauthorized invocation of functions.
Updating ThinkPHP to a version later than 5.0.23 or 5.1.31 where this vulnerability is fixed is strongly recommended.
Additionally, restricting access to the index.php endpoint or disabling the invokefunction mechanism if not needed can reduce the attack surface.
Monitoring and blocking suspicious requests that attempt to exploit the invokefunction parameter can also help mitigate exploitation attempts.