ThinkPHP 5.0.22 RCE

Rejah Rehim
Published on
16 Jun 2021
1 min read

ThinkPHP is an open-source framework for web application development. It is licenced under the Apache2 licence. Controller names are wrongly processed by the framework in ThinkPHP 5.0.22, causing the attacker to initiate any framework method, Because the root controllers are not subject to any specific filtering resulting in an RCE (Remote Code Execution) vulnerability.Threat actors are aggressively using ThinkPHP to infect a wide range of malware, primarily aimed at Internet of Things (IoT) devices.


In the ThinkPHP framework, a specifically designed value in the filter HTTP parameter can lead to arbitrary code execution.

Mitigation / Precaution

  • We suggest that you update to version 5.0.23 / 5.1.31 or higher of ThinkPHP in order to fix this vulnerability.
  • Directly apply the patch: In thinkphp 5.0, add the following code to line 554 of thinkphp/library/think/App.php, In thinkphp 5.1, line 63 of thinkphp/library/think/route/dispatch/Url.php.
     if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) 
           throw new HttpException(404, 'controller not exists:' . $controller);
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment