Deserialization of Untrusted Data
Description
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ThinkPHP framework before 6.0.12 vulnerable to deserialization of untrusted data in Driver class, enabling RCE.
Vulnerability
The topthink/framework (ThinkPHP) versions before 6.0.12 are vulnerable to deserialization of untrusted data due to an insecure unserialize method in the Driver class. The method lacked proper type checking on its parameter, allowing an attacker to pass arbitrary serialized data. This affects all versions prior to the patch. [1][2][4]
Exploitation
An attacker must have the ability to provide serialized data to the affected unserialize method, typically through a crafted request that reaches the Driver class. No authentication is required if the method is exposed via an HTTP endpoint. The attacker can prepare a malicious serialized PHP object that, upon deserialization, triggers arbitrary code execution. [1][4]
Impact
Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to complete compromise of the application's confidentiality, integrity, and availability. The attacker can potentially gain full control of the server. [2][4]
Mitigation
The vulnerability is fixed in version 6.0.12, released on January 13, 2022. Users should upgrade to 6.0.12 or later. No workaround is documented; upgrading is the recommended action. [3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
topthink/frameworkPackagist | < 6.0.12 | 6.0.12 |
Affected products
2- topthink/frameworkdescription
Patches
1d3b5aeae94bc改进缓存驱动unserialize方法参数类型限制
1 file changed · +1 −1
src/think/cache/Driver.php+1 −1 modified@@ -249,7 +249,7 @@ protected function serialize($data): string * @param string $data 缓存数据 * @return mixed */ - protected function unserialize(string $data) + protected function unserialize($data) { if (is_numeric($data)) { return $data;
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
5- github.com/advisories/GHSA-3fpv-54ff-wqfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23592ghsaADVISORY
- github.com/top-think/framework/commit/d3b5aeae94bc71bae97977d05cd12c3e0550905cghsax_refsource_MISCWEB
- github.com/top-think/framework/releases/tag/v6.0.12ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-PHP-TOPTHINKFRAMEWORK-2385695ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.