A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
The vulnerability results from unsafe deserialization of user-supplied input data in the \controller\Index.php component. An attacker can submit a specially crafted malicious serialized payload (known as a gadget chain), which is executed by the server with application privileges during the deserialization process. The mechanism (CWE-502) relies on the fact that the application deserializes data from an untrusted source without proper validation of its contents, enabling manipulation of execution logic.
An attacker can gain full control over the server — execute arbitrary code (RCE), read or modify data, and cause complete compromise of system confidentiality, integrity, and availability.
Apply patches available from the vendor according to references. It is recommended to immediately update the ThinkPHP framework to a version higher than 8.0.4 and monitor project repositories (https://github.com/top-think/think) to track security fix releases.
ThinkPHP in versions 6.1.3 through 8.0.4 (\controller\Index.php component)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThinkphp
APPThinkphp6.1.3 – 8.0.4
Related vulnerabilities
ThinkPHP 5.0.23 — zdalne wykonanie kodu przez parametr routingu (RCE)
RCE w funkcji read sterownika szablonów ThinkPHP 5.0.24
RCE w ThinkPHP 3 — wykonanie kodu przez komponent index.php
RCE w ThinkPHP 5.1 przez funkcję routecheck
Krytyczna podatność deserialization RCE w ThinkPHP v6.1.3–v8.0.4