CVE-2022-47945: ThinkPHP Framework vulnerable to remote code execution

December 23, 2022 (updated April 15, 2025)

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.

References

github.com/advisories/GHSA-p4qr-vq2g-22wp
github.com/top-think/framework
github.com/top-think/framework/commit/c4acb8b4001b98a0078eda25840d33e295a7f099
github.com/top-think/framework/compare/v6.0.13...v6.0.14
nvd.nist.gov/vuln/detail/CVE-2022-47945
tttang.com/archive/1865

Code Behaviors & Features

Detect and mitigate CVE-2022-47945 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →