CVE-2022-45982
Description
ThinkPHP 6.0.0~6.0.13 and 6.1.0~6.1.1 contain a deserialization vulnerability allowing arbitrary code execution via crafted payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ThinkPHP 6.0.0~6.0.13 and 6.1.0~6.1.1 contain a deserialization vulnerability allowing arbitrary code execution via crafted payload.
Vulnerability
Description CVE-2022-45982 is a deserialization vulnerability affecting ThinkPHP framework versions 6.0.0 through 6.0.13 and 6.1.0 through 6.1.1 [1]. The issue stems from the insecure use of PHP's unserialize() function on user-supplied input, which can lead to arbitrary code execution [1][2]. The root cause is that the framework does not properly validate or sanitize serialized data before deserialization, allowing an attacker to instantiate arbitrary objects and initialize their properties [2].
Exploitation
An attacker must have the ability to provide serialized data to a deserialization endpoint. A proof-of-concept (PoC) demonstrates that by creating a custom endpoint that calls unserialize($payload), an attacker can trigger the vulnerability [2]. The PoC uses a chain of objects from ThinkPHP classes, such as think\Model, think\App, think\Request, think\route\Url, think\log\Channel, and think\session\Store, to construct a gadget chain that ends with a call to system() via the call_user_func function [2]. The attack requires no special privileges beyond network access to a vulnerable endpoint [2].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands on the server with the privileges of the web application [1][2]. This could lead to full compromise of the affected server, including data theft, malware installation, or lateral movement within the network [1]. The vulnerability has a CVSS score of 9.8 (Critical), indicating high severity due to low attack complexity and no required privileges [1].
Mitigation
Users should upgrade to a patched version of ThinkPHP promptly. According to the vendor's repository, ThinkPHP 8.0 and later versions are not affected, as they have addressed the deserialization issue [3]. For versions 6.x, the official recommendation is to apply security updates or upgrade to the latest stable release that includes the fix [3]. There is no evidence of active exploitation in the wild, but given the criticality and public PoC, immediate action is advised.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
topthink/thinkPackagist | <= 6.1.1 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.