CVE-2025-44137

HighPublic PoC

Published: 29 July 2025

Published

29 July 2025

Modified

20 January 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0046 64.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44137 is a high-severity Path Traversal (CWE-22) vulnerability in Maptiler Tileserver Php. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of GET parameters like TileMatrix, TileRow, TileCol, and Format to reject directory traversal sequences such as '../' before constructing file paths.

AC-3 Access Enforcement good match

prevent

Enforces logical access restrictions in the renderTile function to ensure only authorized tile files are accessible, preventing traversal to arbitrary server files.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific path construction flaw via the provided patch in the referenced commit, eliminating the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Directory traversal in public-facing web app enables remote unauthenticated file read of arbitrary server files (e.g. configs).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of "../"…

and thus read any file on the web server. Affected GET parameters are "TileMatrix", "TileRow", "TileCol" and "Format"

Deeper analysisAI

CVE-2025-44137, published on 2025-07-29, is a directory traversal vulnerability (CWE-22) in MapTiler Tileserver-php version 2.0. The issue affects the renderTile function in tileserver.php, which serves tiles stored as files on the server in response to web requests. By injecting "../" sequences into the GET parameters TileMatrix, TileRow, TileCol, or Format, attackers can construct paths to access arbitrary files on the web server. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N).

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation involves crafting malicious requests to the affected endpoints, enabling the retrieval of any readable file on the server, such as configuration files or other sensitive data.

Mitigation is provided via a patch in the commit at https://github.com/maptiler/tileserver-php/commit/4fe14e6164bbe2a3f9e3b3d7acf303e3ec210c8e. Further details are documented in the GitHub issue https://github.com/maptiler/tileserver-php/issues/167 and a proof-of-concept repository at https://github.com/mheranco/CVE-2025-44137.