Cyber Resilience

CVE-2022-47945

CriticalPublic PoC

Published: 23 December 2022

Published
23 December 2022
Modified
15 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9034 99.6th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-47945 is a critical-severity Path Traversal (CWE-22) vulnerability in Thinkphp Thinkphp. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ThinkPHP Framework versions prior to 6.0.14 contain a path traversal flaw (CWE-22) that permits local file inclusion through the lang parameter when the language pack feature is enabled via lang_switch_on=true. The issue resides in the framework's handling of language switching and allows an attacker to supply crafted input that resolves to arbitrary files on the server, such as pearcmd.php, resulting in remote code execution.

An unauthenticated remote attacker can exploit the vulnerability over the network without user interaction to achieve full compromise of the affected application, including arbitrary operating system command execution. The CVSS 3.1 base score of 9.8 reflects the combination of network accessibility, lack of required privileges, and total impact on confidentiality, integrity, and availability.

Public references point to the official remediation in version 6.0.14, with the project repository showing the precise code changes that close the file inclusion vector; administrators are advised to upgrade promptly and ensure the language pack feature is disabled if not required.

The associated EPSS score remains consistently high near 0.90, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

thinkphp
thinkphp
≤ 6.0.14

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References