CVE-2025-50706

Vulnerability

Details

CVE-2025-50706 is a file inclusion vulnerability in ThinkPHP version 5.1 that originates from improper handling of the s parameter in the routeCheck function. The framework fails to sanitize path traversal sequences using backslashes (e.g., ..\..\) when processing URL path information, allowing an attacker to include arbitrary files from the filesystem [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the index.php endpoint with a malicious s parameter. On Windows systems, the attacker can leverage the PEAR PHP extension to achieve command execution. For example, the following payload includes a configuration file that writes a web shell: /index.php?s=..\..\..\Extensions\php\php7.3.4nts\pear\&+config-create+/<?=phpinfo();?>+1.php [1]. The attack requires no authentication and can be performed remotely over HTTP.

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the target server, leading to complete compromise of the web application and potentially the underlying operating system. This can result in data theft, malware installation, and further network penetration. The vulnerability is limited to Windows environments; Linux systems are not affected due to path separator differences [1].

Mitigation

As of the publication date, the vulnerability affects ThinkPHP versions 5.1.0 through 5.1.41 on Windows. Users should upgrade to a later version of ThinkPHP or apply vendor-provided patches. If upgrading is not immediately possible, consider implementing input validation to block path traversal sequences and restricting access to vulnerable endpoints.