CVE-2022-33107

ThinkPHP v6.0.12 is vulnerable to a PHP deserialization flaw in the vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php component [1]. The vulnerability arises from insecure deserialization of user-supplied data, which can be exploited to execute arbitrary code on the server.

An attacker can exploit this vulnerability by sending a crafted serialized payload to any endpoint that performs an unserialize() call on user input. The official proof-of-concept demonstrates sending a POST parameter cmd containing a malicious serialized object chain that triggers code execution [2]. No authentication is required if such an endpoint is publicly accessible.

Successful exploitation leads to arbitrary code execution in the context of the web server, allowing the attacker to execute system commands, read sensitive files, or install backdoors. The impact is critical, as it can result in full compromise of the affected application and server.

The vulnerability was patched in subsequent releases of ThinkPHP. Users are strongly advised to upgrade to ThinkPHP 6.0.13 or later. As a workaround, ensure that no user-controlled data is passed to unserialize() without proper validation. The CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog.