CVE-2022-40916 – CVE-2022-40916 is a session fixation vulnerabil... (How to Fix)

Q: What is the severity of CVE-2022-40916?

CVE-2022-40916 has a CVSS score of 9.8 (CRITICAL). CVE-2022-40916 is a session fixation vulnerability in Tiny File Manager v2.4.7 and below that allows attackers to hijack user sessions by fixing session IDs before authentication. This affects all users of vulnerable Tiny File Manager installations, particularly those exposed to the internet.

📋 TL;DR

CVE-2022-40916 is a session fixation vulnerability in Tiny File Manager v2.4.7 and below that allows attackers to hijack user sessions by fixing session IDs before authentication. This affects all users of vulnerable Tiny File Manager installations, particularly those exposed to the internet.

💻 Affected Systems

Products:

Tiny File Manager

Versions: v2.4.7 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with default configuration are vulnerable. The vulnerability exists in the session management logic.

📦 What is this software?

Tiny File Manager by Prasathmani

View all CVEs affecting Tiny File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the file manager instance leading to unauthorized file access, modification, deletion, and potential privilege escalation to underlying system.

🟠

Likely Case

Unauthorized access to sensitive files, directory traversal, and potential data exfiltration from the file manager.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though session security remains compromised.

🌐 Internet-Facing: HIGH - Directly exposed instances are easily exploitable with public PoC available.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept demonstrates exploitation without authentication. Attack requires network access to vulnerable instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.4.8 and above

Vendor Advisory: https://github.com/prasathmani/tinyfilemanager

Restart Required: No

Instructions:

1. Backup current installation. 2. Download latest version from GitHub. 3. Replace vulnerable files with patched version. 4. Verify session regeneration occurs after authentication.

🔧 Temporary Workarounds

Session Regeneration Workaround

all

Manually implement session regeneration after successful authentication

Modify authentication logic to call session_regenerate_id(true) after successful login

Access Restriction

linux

Restrict access to Tiny File Manager via network controls

iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to trusted IPs only
Monitor for suspicious session activity and implement additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check version in index.php or via web interface. If version is 2.4.7 or below, system is vulnerable.

Check Version:

grep -i 'version' index.php | head -1

Verify Fix Applied:

Test session fixation by attempting to set session ID before authentication and verify new session ID is generated after login.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts with same session ID
Session IDs persisting across authentication events
Unauthorized file access patterns

Network Indicators:

HTTP requests with manipulated session cookies
Traffic to Tiny File Manager from unexpected sources

SIEM Query:

source="web_logs" AND (uri="/tinyfilemanager*" OR user_agent="*TinyFileManager*") AND (session_id_changes=0 OR cookie_manipulation_detected=true)

📊 Metadata

CVE ID: CVE-2022-40916

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-384

EPSS Score: 0.43% exploit probability (62.2th percentile)

Published: February 6, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/prasathmani/tinyfilemanager Product
https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-40916, you might also want to check these: