CVE-2025-63889
📋 TL;DR
This vulnerability in ThinkPHP 5.0.24 allows attackers to read arbitrary files on the server through crafted template values. It affects any application using the vulnerable version of ThinkPHP's template engine. Attackers can exploit this to access sensitive files like configuration files, source code, or system files.
💻 Affected Systems
- ThinkPHP
📦 What is this software?
Thinkphp by Thinkphp
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive configuration files containing database credentials, API keys, or other secrets, potentially leading to data breach or further system exploitation.
Likely Case
Information disclosure of sensitive files such as configuration files, source code, or environment files, which could enable further attacks.
If Mitigated
Limited impact with proper file permissions and network segmentation preventing access to critical system files.
🎯 Exploit Status
Public proof-of-concept available in GitHub gist. Exploitation requires user input to reach template rendering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.25 or later
Vendor Advisory: https://www.thinkphp.cn/
Restart Required: No
Instructions:
1. Update ThinkPHP to version 5.0.25 or later. 2. Replace the vulnerable Template.php file with the patched version. 3. Clear any cached template files.
🔧 Temporary Workarounds
Input validation for template values
allImplement strict validation on any user input that reaches template rendering functions to prevent path traversal.
Disable template fetching from user input
allModify application code to prevent user-controlled values from being passed to template fetch functions.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block path traversal patterns in template parameters.
- Restrict file system permissions to limit what files the web server user can read.
🔍 How to Verify
Check if Vulnerable:
Check if ThinkPHP version is 5.0.24 by examining composer.json or framework files. Test with controlled template input containing path traversal sequences.Check Version:
Check composer.json for 'thinkphp/framework' version or examine thinkphp/base.php for version constant.Verify Fix Applied:
Verify ThinkPHP version is 5.0.25 or later. Test the same exploit attempt to confirm it fails.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in template rendering logs
- Multiple failed attempts to access system files through template parameters
Network Indicators:
- HTTP requests containing path traversal sequences in template-related parameters
SIEM Query:
source='web_logs' AND (uri CONTAINS 'template' OR uri CONTAINS 'fetch') AND (params CONTAINS '../' OR params CONTAINS '..\\')