Remote Code Execution (RCE)
Description
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
elFinder before 2.1.58 allows RCE via uploaded .phar files when the server parses them as PHP.
Vulnerability
The package studio-42/elFinder before version 2.1.58 is vulnerable to Remote Code Execution (RCE) via the upload of a .phar file [1][4]. The upload filter did not disallow .phar files, and many Linux distributions ship Apache configured to process .phar as PHP scripts [4]. This allows an attacker to upload a malicious .phar file that is then executed on the server.
Exploitation
An attacker needs network access to the elFinder instance and must be able to upload files (which is a standard feature) [1][4]. No authentication is required if the connector is exposed publicly, but the exploit can also be performed by an authenticated user. The attacker uploads a .phar file containing arbitrary PHP code. When the file is accessed or triggered by the server's file handling, the PHP code executes in the context of the elFinder connector [4].
Impact
Successful exploitation leads to Remote Code Execution (RCE) with the privileges of the web server user [1][4]. The attacker gains full control over the server's file system and can execute arbitrary commands, potentially leading to complete compromise of the server and its data [1][4].
Mitigation
Update to elFinder version 2.1.58, released on or before 2021-06-13, which associates .phar files with the correct MIME type and blocks their upload unless explicitly allowed [4]. If unable to update, ensure the connector is not exposed without authentication [4]. Administrators should review the additionalMimeMap configuration to block any extensions that can be executed on the web server [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
studio-42/elfinderPackagist | < 2.1.58 | 2.1.58 |
Affected products
2- studio-42/elfinderdescription
Patches
175ea92decc16[VD:abstract] add `'phar:*' => 'text/x-php'` into 'staticMineMap'
1 file changed · +1 −0
php/elFinderVolumeDriver.class.php+1 −0 modified@@ -281,6 +281,7 @@ abstract class elFinderVolumeDriver 'php5:*' => 'text/x-php', 'php7:*' => 'text/x-php', 'phtml:*' => 'text/x-php', + 'phar:*' => 'text/x-php', 'cgi:*' => 'text/x-httpd-cgi', 'pl:*' => 'text/x-perl', 'asp:*' => 'text/x-asap',
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-qm58-cvvm-c5qrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23394ghsaADVISORY
- blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilitiesghsaWEB
- blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities/mitrex_refsource_MISC
- github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1ghsax_refsource_MISCWEB
- github.com/Studio-42/elFinder/issues/3295ghsax_refsource_MISCWEB
- github.com/Studio-42/elFinder/security/advisories/GHSA-qm58-cvvm-c5qrghsaWEB
- snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.