Miggo Logo
Miggo Vulnerability Database
CVE-2025-50706

CVE-2025-50706: ThinkPHP Path Traversal Vulnerability

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-50706
GHSA ID
GHSA-mrwc-mvr8-9xq5
EPSS Score
-
CWE
CWE-22
Published
8/5/2025
Updated
8/5/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
topthink/frameworkcomposer<= 5.1.41

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a path traversal issue in ThinkPHP framework version 5.1.41 and below, specifically on Windows systems. The root cause is the improper sanitization of the s parameter, which is used for URL routing. An attacker can use ..\ sequences to traverse directories because the application's check for valid modules using is_dir can be bypassed on Windows.

The exploitation flow starts with the think\App::routeCheck function, which processes the request. The malicious payload is retrieved by think\Request::pathinfo. The core of the vulnerability lies in think\route\dispatch\Module::init, where the is_dir check fails to prevent directory traversal. Finally, think\App::loadFile is used to include a PHP file from the traversed directory, leading to remote code execution.

The analysis of the provided blog post was crucial in identifying the vulnerable functions and the exploitation chain, as no official patch commit was available.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in T*inkP*P *r*m*work v.*.* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* t** rout*****k *un*tion.

Reasoning

T** vuln*r**ility is * p*t* tr*v*rs*l issu* in T*inkP*P *r*m*work v*rsion *.*.** *n* **low, sp**i*i**lly on Win*ows syst*ms. T** root **us* is t** improp*r s*nitiz*tion o* t** `s` p*r*m*t*r, w*i** is us** *or URL routin*. *n *tt**k*r **n us* `..\` s*
CVE-2025-50706: ThinkPHP Route Path Trav RCE | Miggo