CVE-2022-25481

Vulnerability

ThinkPHP Framework v5.0.24, when deployed without the PATHINFO parameter configured, exposes system environment parameters through the index.php entry point. The vulnerability arises because the framework's default routing mechanism processes a request such as http://serverName/index.php?s=example and, if no matching module is found, outputs debugging-style information including server/request data and ThinkPHP constants. The issue affects version 5.0.24 specifically, as noted in the CVE description and the related researcher's disclosure [1][3].

Exploitation

An attacker needs only network access to the affected ThinkPHP application. No authentication or special privileges are required. By sending a crafted GET request to index.php with an unknown module via the s parameter (e.g., GET /index.php?s=example HTTP/1.1), the server responds with detailed system environment information. The attack does not require any user interaction or prior knowledge beyond the server's base URL [3].

Impact

Successful exploitation leads to information disclosure of sensitive system environment parameters, such as server paths, database credentials, and other configuration values that would normally be hidden in production. While the vulnerability does not directly enable remote code execution or file modification, the leaked data can significantly aid an attacker in further compromising the application or its underlying infrastructure [1][3].

Mitigation

No official patch has been released for this issue, and the disclosure is disputed by a third party who notes that environment exposure is an intended feature of debugging mode. Administrators should ensure ThinkPHP is not run in debug mode on production systems, explicitly configure PATHINFO settings, or apply input filtering to the s parameter. As of the publication date (2022-03-20), no fixed version was available, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2][3].