ThinkPHP Deserialization Vulnerability (CVE-2022-45982)
The ThinkPHP framework suffers from a deserialization vulnerability (CVE‑2022‑45982) affecting versions 6.0.0‑6.0.13 and 6.1.0‑6.1.1, where unsanitized user input passed to unserialize() can allow attackers to execute arbitrary system commands, and no official patch has been released yet.
Vulnerability Description
ThinkPHP is a PHP development framework that uses an object‑oriented structure and the MVC pattern.
In the affected versions a deserialization vulnerability exists; if an application endpoint unserializes user‑supplied data (e.g., unserialize($input) ), an attacker with access to that endpoint can craft a malicious payload to execute arbitrary system commands.
Vulnerability Name
ThinkPHP Deserialization Vulnerability
Vulnerability Type
Deserialization
Discovery Date
2023-02-09
Impact Scope
General
MPS Number
MPS-2022-65347
CVE Number
CVE-2022-45982
CNVD Number
-
Affected Scope
topthink/framework@[6.0.0, 6.0.13]
topthink/framework@[6.1.0, 6.1.1]
Mitigation / Fix
topthink/framework has not released a new version yet; please follow the official channel: https://github.com/top-think/framework/releases
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.