CVE-2025-67084
📋 TL;DR
This vulnerability allows authenticated attackers to upload malicious PHP files as attachments in InvoicePlane, which can then be executed remotely to achieve full system compromise. All InvoicePlane installations up to version 1.6.3 are affected, requiring immediate attention.
💻 Affected Systems
- InvoicePlane
📦 What is this software?
Invoiceplane by Invoiceplane
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker gaining full control over the server, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Webshell deployment leading to data theft, credential harvesting, and further exploitation of the hosting environment.
If Mitigated
Limited impact if file uploads are disabled or properly restricted, though authenticated users could still attempt exploitation.
🎯 Exploit Status
Exploitation is straightforward for authenticated users; public proof-of-concept code exists in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.4 or later
Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane
Restart Required: No
Instructions:
1. Backup your InvoicePlane installation and database. 2. Download the latest version from GitHub. 3. Replace all files except the uploads folder and application/config/config.php. 4. Clear browser cache and verify functionality.
🔧 Temporary Workarounds
Restrict PHP file uploads
allConfigure web server to block execution of PHP files in upload directories
# For Apache: Add to .htaccess in upload directory
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
# For Nginx: Add to server block
location ~* \.php$ {
deny all;
return 403;
}
Disable file uploads
allTemporarily disable all file upload functionality
# Modify InvoicePlane configuration or disable via admin panel if available
🧯 If You Can't Patch
- Implement strict file upload validation: only allow specific file types (PDF, images) and validate file signatures
- Restrict user permissions: limit attachment upload capabilities to trusted administrators only
🔍 How to Verify
Check if Vulnerable:
Check if InvoicePlane version is 1.6.3 or earlier and if PHP files can be uploaded to attachmentsCheck Version:
Check the IP_VERSION constant in application/config/constants.php or view the footer in the web interfaceVerify Fix Applied:
Verify version is 1.6.4 or later and attempt to upload a PHP file (should be rejected)📡 Detection & Monitoring
Log Indicators:
- PHP file uploads to attachment directories
- Unusual file uploads from authenticated users
- Execution of uploaded PHP files
Network Indicators:
- HTTP POST requests with PHP file uploads to /uploads/ directories
- Unusual outbound connections from web server
SIEM Query:
source="web_server" AND (uri="/uploads/*" AND method="POST" AND file_extension="php")