CVE-2024-44902

Vulnerability

Details

CVE-2024-44902 is a deserialization vulnerability in the ThinkPHP framework affecting versions 6.1.3 through 8.0.4. The root cause lies in unsafe handling of serialized data when the application uses the Memcached cache driver. An attacker can craft a PHP object injection payload that, upon deserialization, triggers arbitrary command execution through a chain of classes within the framework's architecture [1][2].

Exploitation

The vulnerability requires the target application to have the Memcached extension installed and enabled in the ThinkPHP cache configuration. The exploit leverages a gadget chain starting from the \think\cache\driver\Memcached class, progressing through \think\model\Pivot and \think\DbManager, ultimately achieving code execution by manipulating properties like data, withAttr, and json in the Model class. A proof-of-concept demonstrates using a public controller endpoint that calls unserialize() on user-supplied input [2].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the server, potentially leading to full system compromise, data exfiltration, or lateral movement within the network. The attack requires no authentication if a deserialization endpoint is exposed [1][2].

Mitigation

ThinkPHP has addressed the issue in a subsequent release; users should upgrade to a patched version beyond 8.0.4. As a workaround, disabling the Memcached driver or validating and sanitizing any deserialization input can reduce risk. The vulnerability is publicly documented with proof-of-concept code, increasing the likelihood of active exploitation [2][3].