CVE-2025-70841
Published: 03 February 2026
Summary
CVE-2025-70841 is a critical-severity Improper Authentication (CWE-287) vulnerability in Amcoders Dokans. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates exposure of sensitive .env file contents by controlling and reviewing publicly accessible content to exclude restricted information like APP_KEY and database credentials.
Protects publicly accessible web endpoints to block unauthorized access to sensitive configuration data in files like /script/.env.
Enforces secure web server configuration settings to restrict access to sensitive files such as .env, preventing unauthenticated disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE exposes .env config file via unauthenticated HTTP GET on public-facing web app (T1190), revealing credentials in files (T1552.001) and Laravel APP_KEY for forging web cookies/sessions (T1606.001).
NVD Description
Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration…
more
parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.
Deeper analysisAI
CVE-2025-70841 is a critical vulnerability in Dokans Multi-Tenancy Based eCommerce Platform SaaS version 3.9.2, where unauthenticated remote attackers can access sensitive application configuration data by directly requesting the /script/.env file. This exposed Laravel environment file discloses the APP_KEY for encryption, database credentials, SMTP/SendGrid API credentials, and other internal parameters. The multi-tenancy architecture means the issue impacts all tenants sharing the system, with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) and mapped to CWE-287 (Improper Authentication).
Any unauthenticated attacker with network access can exploit this by sending a simple HTTP GET request to the exposed endpoint, retrieving the full contents of the .env file without authentication or user interaction. Successful exploitation enables complete system compromise, including forging session tokens to bypass authentication, directly accessing the database for all tenant data, and taking over email infrastructure via stolen credentials.
Advisories and further details are documented in the product page on CodeCanyon at https://codecanyon.net/item/dokans-multitenancy-based-ecommerce-platform-saas/31122915 and a dedicated security advisory on GitHub at https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-70841.md, published on 2026-02-03.
Details
- CWE(s)