CVE-2021-36567

Vulnerability

ThinkPHP v6.0.8 is vulnerable to PHP object deserialization via the League\Flysystem\Cached\Storage\AbstractCache class. The vulnerability is triggered when user-supplied serialized data is passed to unserialize() without proper sanitization, as demonstrated in a controller route accepting POST data [2]. The affected component is part of the top-think/framework package [1][3].

Exploitation

An attacker can exploit this by sending a crafted serialized payload to a ThinkPHP application that exposes an endpoint calling unserialize() on user input. The provided exploit chain uses the think\filesystem\CacheStore class to chain into think\cache\driver\File, which allows setting the serialize option to ['system'], enabling arbitrary command execution via the system function [2]. The attacker must have network access to the vulnerable endpoint and the ability to send POST data.

Impact

Successful exploitation allows an attacker to execute arbitrary system commands on the server, leading to full remote code execution. This can result in complete compromise of the application and underlying server, including data theft, file manipulation, and further lateral movement [2].

Mitigation

As of the available references, no official patch has been released for this vulnerability. Users should upgrade to a newer version of ThinkPHP if available, or apply input validation and avoid using unserialize() on untrusted data. The issue was reported in the project's GitHub repository [2], but no fixed version is explicitly mentioned. Monitor the vendor's repository for updates [3].