CVE-2022-25481

HIGH NUCLEI

Thinkphp - Improper Access Control

Title source: rule

Description

ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode.

Nuclei Templates (1)

ThinkPHP 5.0.24 - Information Disclosure

HIGHVERIFIEDby caon

Shodan: title:"ThinkPHP" || http.title:"thinkphp" || cpe:"cpe:2.3:a:thinkphp:thinkphp"

FOFA: title="thinkphp" || header="think_lang"

References (1)

[Exploit, Third Party Advisory] https://github.com/Lyther/VulnDiscover/blob/master/Web/ThinkPHP_InfoLeak.md

View Exploit ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0950

EPSS Percentile 92.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-284 CWE-668

Status published

Affected Products (2)

thinkphp/thinkphp

topthink/framework Packagist

Timeline

Published Mar 21, 2022

Tracked Since Feb 18, 2026