A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
The vulnerability results from unsafe processing (deserialization) of untrusted input data by the ThinkPHP framework (CWE-502). An attacker can provide a specially crafted payload that, during deserialization, is executed as code on the server side. The attack vector is network-based, requires no authentication or user interaction, making it particularly dangerous.
Successful exploitation of the vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the server, which may lead to complete system takeover, data breach, and violation of service integrity and availability.
Patches available from the vendor should be applied according to the references. It is recommended to update the ThinkPHP framework as soon as possible to a version higher than v8.0.4 and monitor the official vendor channel at http://thinkphp.com for detailed update instructions.
ThinkPHP in versions from v6.1.3 to v8.0.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThinkphp
APPThinkphp6.1.3 – 8.0.4
Related vulnerabilities
ThinkPHP 5.0.23 — zdalne wykonanie kodu przez parametr routingu (RCE)
RCE w funkcji read sterownika szablonów ThinkPHP 5.0.24
RCE w ThinkPHP 3 — wykonanie kodu przez komponent index.php
RCE w ThinkPHP 5.1 przez funkcję routecheck
ThinkPHP: RCE poprzez deserializację w Index.php (CVE-2024-48112)