Cyber Resilience

CVE-2022-25481

HighPublic PoC

Published: 21 March 2022

Published
21 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0950 93.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25481 is a high-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Thinkphp Thinkphp. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ThinkPHP Framework version 5.0.24 is affected when deployed without the PATHINFO parameter enabled, resulting in exposure of all system environment parameters through direct access to index.php. The flaw is tracked under CWE-668 and CWE-284 and received a CVSS 3.1 base score of 7.5 reflecting network-accessible confidentiality impact without authentication.

Remote unauthenticated attackers can retrieve the full set of environment variables by issuing requests to the application entry point, potentially disclosing configuration secrets and runtime details. A third-party dispute notes that such exposure is an intended behavior when the framework operates in debugging mode.

The two references both point to the same technical write-up describing the information-leakage vector. The EPSS score rose from a low baseline to a peak of 0.2106 before receding to the current value of 0.0950, indicating a temporary increase in exploitation interest after public disclosure.

EU & UK References

Vulnerability details

ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of…

more

the debugging mode.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

thinkphp
thinkphp
5.0.24

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-668

Enforces rules governing access to the system and its data from external systems based on established trust relationships.

addresses: CWE-284 CWE-668

This control requires verifying that a sharing partner's access authorizations match the information's restrictions before sharing occurs.

addresses: CWE-284 CWE-668

Designating authorized individuals and mandating pre/post-publication reviews enforces access controls on who can publish content publicly.

addresses: CWE-284 CWE-668

Provides monitoring and protection against data mining patterns that exploit improper access controls to extract data.

addresses: CWE-284 CWE-668

Enforcing approved authorizations for information flows directly implements access control over data movements within and between systems.

addresses: CWE-284 CWE-668

Authorizing and reviewing internal connections enforces proper access control over system interfaces.

addresses: CWE-284 CWE-668

Identifying users with access to specific system components supports enforcement of proper access controls on information.

addresses: CWE-284 CWE-668

The control enforces access restrictions on media, directly mitigating improper access control weaknesses.

References