CVE-2022-47945: ThinkPHP Framework vulnerable to remote code execution
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99472%
CWE
Published
12/23/2022
Updated
8/17/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
topthink/framework | composer | < 6.0.14 | 6.0.14 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper path sanitization in the language detection mechanism. The pre-patch version of detect()
in LoadLangPack.php
took user input from GET/headers/cookies
via $request->get()
and used it to set $langSet
without validating against path traversal sequences. The attacker-controlled $langSet
was then used to build a file path for inclusion via Lang::load()
, enabling arbitrary file inclusion. The commit patched this by 1) removing forced lowercase conversion (which could bypass some checks) and 2) adding proper regex validation of the language string before path construction.