CVE-2024-44902: 
PHP vulnerability analysis and mitigation

A deserialization vulnerability has been identified in ThinkPHP versions 6.1.3 to 8.0.4. This critical security flaw was disclosed on September 9, 2024, and has been assigned CVE-2024-44902. The vulnerability affects all installations of ThinkPHP between these versions and allows attackers to execute arbitrary code on affected systems (NVD, MITRE).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically requires the ThinkPHP framework to have the Memcached extension installed to be exploitable. The issue is related to unsafe deserialization of data, which is classified under CWE-502 (Deserialization of Untrusted Data) (NVD, GitHub POC).

The vulnerability allows attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. Given the CVSS score of 9.8, this vulnerability represents a critical risk to affected systems, with potential impacts on system confidentiality, integrity, and availability (NVD).

Organizations running affected versions of ThinkPHP (v6.1.3 to v8.0.4) should upgrade to a patched version as soon as possible. If immediate upgrading is not possible, organizations should consider disabling the Memcached extension if not strictly required (NVD).